diff --git a/docs/features/index.rst b/docs/features/index.rst new file mode 100644 index 000000000..8919f7899 --- /dev/null +++ b/docs/features/index.rst @@ -0,0 +1,23 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Features +======== + +.. toctree:: + :maxdepth: 1 + :glob: + + */index diff --git a/docs/features/lifecycle/architecture/chklst_arc_inspection.rst b/docs/features/lifecycle/architecture/chklst_arc_inspection.rst new file mode 100644 index 000000000..790dd1613 --- /dev/null +++ b/docs/features/lifecycle/architecture/chklst_arc_inspection.rst @@ -0,0 +1,205 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +.. document:: Lifecycle Architecture Inspection Checklist + :id: doc__lifecycle_arc_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__sw_arch_verification + +Architecture Inspection Checklist +================================= + +Purpose +------- + +The purpose of the software architecture checklist is to ensure that the design meets the criteria and quality as +defined per project processes and guidelines for feature and component architectural design elements. +It helps to check the compliance with requirements, identify errors or inconsistencies, and ensure adherence to best +practices. +The checklist guides evaluation of the architecture design, identifies potential problems, and aids in +communication and documentation of architectural decisions to stakeholders. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): +- reviewer: +- moderator: + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Architecture Design Review Checklist + :header-rows: 1 + + * - Review Id + - Acceptance criteria + - Guidance + - passed + - Remarks + - Issue link + * - ARC_01_01 + - Is the traceability from software architectural elements to requirements, and other level architectural elements (e.g. component to interface) established according to the "Relations between the architectural elements" as described in :need:`doc_concept__arch_process`? + - Trace should be checked automatically by tool support in the future. It will be removed from the checklist once the requirement (:need:`Correlations of the architectural building blocks `) is implemented. Refer to `Tool Requirements `_ for the current status. + - + - + - + * - ARC_01_02 + - Does the software architecture design consider all the requirements allocated to the architectural element, including functional, non-functional, safety, and security requirements and all related design decisions? + - Check if all requirements allocated to the architectural element are considered in the design. This includes functional requirements (e.g. functional safety requirements), non-functional requirements (e.g. performance, reliability), and security requirements (e.g. confidentiality, integrity). Additionally, ensure that all related design decisions are taken into account and documented in the architectural design. + - + - + - + * - ARC_01_03 + - If the architectural element is related to any supplier manuals (including safety and security), are the relevant parts covered? + - If the architecture makes use of supplied elements, their manuals (like safety) have to be considered (i.e. its provided functionality matches the expectation and assumptions are fulfilled). Note that in case of safety component this means that assumed Technical Safety Requirements and AoUs of the safety manual are covered. + - + - + - + * - ARC_01_04 + - Is the architectural element traceable to the lower-level artifacts as defined by the work product traceability? + - + - + - + - + * - ARC_02_01 + - Is the software architecture design compliant with the overall feature architecture? + - On component level check against the feature architecture, on feature level check other features with common components used. + - + - + - + * - ARC_02_02 + - Is appropriate and comprehensible operation and interface naming present in the architectural design? + - Check :need:`gd_guidl__arch_design` + - + - + - + * - ARC_02_03 + - Are the correctness of data flow and control flow within the architectural elements considered? + - For example, examine definitions, transformations, integrity, and interaction of data; check error handling, data exchange between elements, correct response to inputs, and documented decision making. + Note: Consistency is ensured by the process/tooling, by defining each interface only once. + - + - + - + * - ARC_02_04 + - Are the interfaces between the software architectural element and other architectural elements well defined? + - Check if the interface handles undefined behaviour or errors; can established protocols be used; are the interfaces for inputs, outputs, and error codes documented; is loose coupling considered and only limited exposure; can unit or integration tests be written against the interface; data amount transferred; ensure no sensitive data is exposed; + - + - + - + * - ARC_02_05 + - Does the software architectural element consider the timing constraints (from the parent requirement)? + - If there are strict timing requirements, a programming time estimation should be performed and deadline supervision should be considered. + - + - + - + * - ARC_02_06 + - Is the documentation of the software architectural element, including textual and graphical descriptions (e.g., UML diagrams), clear and complete? + - Use of semi-formal notation is expected for architectural elements with an allocated ASIL level. Is the architecture template correctly filled? + - + - + - + * - ARC_03_01 + - Is the architectural element modular and encapsulated? + - Check, for example, that only minimal interfaces are used. The design should be object oriented. Interfaces and interactions are clearly defined. Usage of access types (private, protected) is properly set. Limited global variables. + - + - + - + * - ARC_03_02 + - Is the suitability of the software architecture for future modifications and maintainability considered? + - Check for, for example, loose coupling, separation of concerns, high cohesion, versioning strategy for interfaces, decision records, and use of established design patterns. + - + - + - + * - ARC_03_03 + - Are simplicity and avoidance of unnecessary complexity present in the software architecture? + - Indicators of complexity include: the number of use cases (corresponding to dynamic diagrams) allocated to a single design element, the number of interfaces and operations in an interface, function parameters, global variables, complex types, and limited comprehensibility. + + Notes: + + If the "number of use cases" or "number of interfaces" above exceeds "3" or "number of function parameters" exceeds "5" or the "number of operations" exceeds "20" or global variables are used, a design rationale is mandatory. + - + - + - + * - ARC_03_04 + - Is the software architecture design following best practices and design principles? + - Refer to architectural guidelines and recommendations within the project documentation. + - + - + - + * - ARC_04_01 + - If your software architectural design includes processes with different safety ratings (QM/ASIL), is freedom from interference for shared resources (CPU time, shared memory, etc.) ensured? See also ARC_04_03. + + Note: see :need:`std_req__iso26262__software_7411` and :need:`std_req__iso26262__software_749` with Annex D for partitioning to ensure freedom from interference. + Note: Modules should not mix ASIL and QM processes unless justified otherwise; therefore, this question is only relevant on the feature level. + - + Check whether your architecture design complies with project guidelines to establish freedom from interference between components. This can be achieved, for example, by using a hypervisor or an OS that supports partitioning with an MMU or specific scheduling mechanisms, as well as safety mechanisms like watchdogs or program flow monitoring. + Also check if the operating system supports freedom from interference between the processes and make sure an "Assumption of Use requirement" for this exists in your project. For example, see `score aou_req__platform__process_isolation `_. + - + - + - + * - ARC_04_02 + - Does the software architectural design consider its feasibility with respect to the required resources for the embedded software, especially for time-critical aspects like startup time, but also including RAM, ROM, non-volatile memory, communication bandwidth, and processing time limits according to the requirements or foreseeable customer needs? See also ARC_02_05. + + Note: see :need:`std_req__iso26262__software_7413` + - + Check if there are any limits for resource consumption or timing aspects in your project, such as startup time, communication bandwidth, or memory usage. If such limits exist, ensure that your architecture takes these limits into account, especially with respect to scalability. For this, make an estimation of the required resources based on the architectural design and a prototypical implementation or a measurement of an existing implementation, and compare it to the defined limits or planned scalability. Check if any bottlenecks are present in the architecture that could lead to resource overuse or timing violations. + - + - + - + * - ARC_04_03 + - If your software architectural design includes processes and tasks, are their scheduling policies and priorities (at least the necessary relationships between them) defined to ensure that timing requirements are met? Please note that the particular priorities or priority ranges will probably be defined by the project handbook or the software development plan. + + Note: see :need:`std_req__iso26262__software_743` + - Provide a rationale for these scheduling policies and priorities, or explain why they are not needed. + - + - + - + + +.. attention:: + The above checklist entries must be filled according to your feature architecture in scope. + +Note: If a Review ID is not applicable for your architecture, then state ""n/a" in status and comment accordingly in remarks. + +The following static views in "valid" state and with "inspected" tag set are in the scope of this inspection: + +.. needtable:: + :filter: "lifecycle" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: feat_arc_sta + :tags: lifecycle + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +and the following dynamic views: + +.. needtable:: + :filter: "lifecycle" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: feat_arc_dyn + :tags: lifecycle + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title diff --git a/docs/features/lifecycle/architecture/index.rst b/docs/features/lifecycle/architecture/index.rst new file mode 100644 index 000000000..55cc80792 --- /dev/null +++ b/docs/features/lifecycle/architecture/index.rst @@ -0,0 +1,143 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Feature Architecture +==================== + +.. document:: Lifecycle Architecture + :id: doc__lifecycle_architecture + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__feature_arch + +Overview +-------- + + +Description +----------- + + + + + + + +Requirements +------------ + +The requirements for the feature architecture are defined in the `requirements` section of the feature documentation in the project repository. + +Rationale Behind Architecture Decomposition +******************************************* + +Mandatory: A motivation for the decomposition + +.. note:: Common decisions across features / cross cutting concepts is at the high level. + +Static Architecture +------------------- + +The live feature architecture template snippets are maintained in the +`module template documentation `__. + +.. code-block:: rst + + .. feat_arc_sta:: Feature Static View + :id: feat_arc_sta__feature_name__static_view + :security: YES + :safety: ASIL_B + :status: invalid + :fulfils: feat_req__feature_name__some_title + :includes: logic_arc_int__feature_name__interface_name1 + :belongs_to: feat__feature_name + + .. needarch:: + :scale: 50 + :align: center + + {{ draw_feature(need(), needs) }} + +Dynamic Architecture +-------------------- + +.. code-block:: rst + + .. feat_arc_dyn:: Dynamic View + :id: feat_arc_dyn__feature_name__dynamic_view + :security: YES + :safety: ASIL_B + :status: invalid + :fulfils: feat_req__feature_name__some_title + :belongs_to: feat__feature_name + + Put here a sequence diagram + +Logical Interfaces +------------------ + +The logical interfaces of the feature are defined in the `logical interfaces` section of the feature documentation in the project repository. + +Module Viewpoint +---------------- + +The following modules are needed to be defined to be able to draw the static feature view. +They will be replaced by linking the proper module definitions in the used module's repositories as soon as those exist. + +The rendered module and used-component examples are maintained in the +`module template documentation `_. + +.. code-block:: rst + + .. mod:: Module Name + :id: mod__module_name + :includes: comp__component_name_template + + + .. mod_view_sta:: Module Name Static View + :id: mod_view_sta__feature_name__module_name + :includes: comp__component_name_template + + .. needarch:: + :scale: 50 + :align: center + + {{ draw_module(need(), needs) }} + +Used Components +--------------- + +The following components are needed to be defined to be able to draw the static feature view. +They will be replaced by linking the proper SW component definitions in the used module's repositories as soon as those exist. + +.. code-block:: rst + + .. comp:: Component Name + :id: comp__component_name_template + :safety: ASIL_B + :security: YES + :status: invalid + :implements: logic_arc_int__feature_name__interface_name1 + +.. note:: + Architecture can be split into multiple files, it is an high level architecture design + which can be shown without actual c++/rust interfaces and data types + and there will be link to internal architecture till code to get actual api descriptions. + +.. attention:: + The above directives must be updated according to your feature architecture. + + - Replace the example content by the real content (according to :need:`gd_guidl__arch_design`) + - Set the status to valid and start the review/merge process diff --git a/docs/features/lifecycle/index.rst b/docs/features/lifecycle/index.rst new file mode 100644 index 000000000..17248bf26 --- /dev/null +++ b/docs/features/lifecycle/index.rst @@ -0,0 +1,34 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +[Your Feature Name] +################### + +Abstract +======== + +[A short (~200 word) description of the feature.] + +For the main feature description and requirements, see the belonging `Feature `_ in the project repository. + +.. toctree:: + :hidden: + + architecture/index.rst + architecture/chklst_arc_inspection.rst + safety_analysis/fmea.rst + safety_analysis/dfa.rst + safety_analysis/aou_requirements.rst + safety_planning/index.rst + security_planning/index.rst diff --git a/docs/features/lifecycle/safety_analysis/aou_requirements.rst b/docs/features/lifecycle/safety_analysis/aou_requirements.rst new file mode 100644 index 000000000..6a6a53dad --- /dev/null +++ b/docs/features/lifecycle/safety_analysis/aou_requirements.rst @@ -0,0 +1,37 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +AoU Feature Requirements +======================== + +.. document:: Lifecycle Feature AoU + :id: doc__lifecycle_feat_aou + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__requirements_feat_aou + +Feature AoU +----------- + +.. code-block:: rst + + .. aou_req:: Some Other Title + :id: aou_req__feature_name__some_other_title + :reqtype: Process + :security: NO + :safety: ASIL_B + :status: invalid + + The Feature User shall do xyz to use the feature safely. diff --git a/docs/features/lifecycle/safety_analysis/dfa.rst b/docs/features/lifecycle/safety_analysis/dfa.rst new file mode 100644 index 000000000..eeacb7e6b --- /dev/null +++ b/docs/features/lifecycle/safety_analysis/dfa.rst @@ -0,0 +1,199 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +DFA (Dependent Failure Analysis) +================================ + +.. document:: Lifecycle DFA + :id: doc__lifecycle_dfa + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__feature_dfa + +.. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. + + +The DFA for the feature Lifecycle is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the +following tables. For all applicable failure initiators, the DFA has to be performed. + +Dependent Failure Initiators +---------------------------- + +Shared resources +^^^^^^^^^^^^^^^^ + +The dependent failure initiators related to shared resources are not applicable for the features. The shared resources +will be considered in the platform DFA. + +Communication between the two elements +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender. + +.. list-table:: DFA communication between elements + :header-rows: 1 + :widths: 10,20,10,20 + + * - ID + - Violation cause communication between elements + - Applicability + - Rationale + * - CO_01_01 + - Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow) + - + - + * - CO_01_02 + - Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information + - + - + * - CO_01_03 + - Insertion / sequence of information + - + - + * - CO_01_04 + - Corruption of information, inconsistent data + - + - + * - CO_01_05 + - Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information + - + - + * - CO_01_06 + - Information from a sender received by only a subset of the receivers + - + - + * - CO_01_07 + - Blocking access to a communication channel + - + - + +Shared information inputs +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Same information input used by multiple functions. + +.. list-table:: DFA shared information inputs + :header-rows: 1 + :widths: 10,20,10,20 + + * - ID + - Violation cause shared information inputs + - Applicability + - Rationale + * - SI_01_02 + - Configuration data + - + - + * - SI_01_03 + - Constants, or variables, being global to the two software functions + - + - + * - SI_01_04 + - Basic software passes data (read from hardware register and converted into logical information) to two applications software functions + - + - + * - SI_01_05 + - Data / function parameter arguments / messages delivered by software function to more than one other function + - + - + +Unintended impact +^^^^^^^^^^^^^^^^^ + +Unintended impacts to function due to various failures. + +.. list-table:: DFA unintended impact + :header-rows: 1 + :widths: 10,20,10,20 + + * - ID + - Violation cause unintended impact + - Applicability + - Rationale + * - UI_01_01 + - Memory miss-allocation and leaks + - + - + * - UI_01_02 + - Read/Write access to memory allocated to another software element + - + - + * - UI_01_03 + - Stack/Buffer under-/overflow + - + - + * - UI_01_04 + - Deadlocks + - + - + * - UI_01_05 + - Livelocks + - + - + * - UI_01_06 + - Blocking of execution + - + - + * - UI_01_07 + - Incorrect allocation of execution time + - + - + * - UI_01_08 + - Incorrect execution flow + - + - + * - UI_01_09 + - Incorrect synchronization between software elements + - + - + * - UI_01_10 + - CPU time depletion + - + - + * - UI_01_11 + - Memory depletion + - + - + * - UI_01_12 + - Other HW unavailability + - + - + + +DFA +=== + +For all identified applicable failure initiators, the DFA is performed in the following section. + +.. code-block:: rst + + .. feat_saf_dfa:: + :violates: <Feature architecture> + :id: feat_saf_dfa__<Feature>__<Element descriptor> + :failure_id: <ID from DFA failure initiators :need:`gd_guidl__dfa_failure_initiators`> + :failure_effect: "description of failure effect of the failure initiator on the element" + :mitigated_by: <ID from Feature Requirement | ID from AoU Feature Requirement> + :mitigation_issue: <ID from Issue Tracker> + :sufficient: <yes|no> + :status: <valid|invalid> + + .. note:: Argument is inside the 'content'. Therefore content is mandatory. + +.. attention:: + The above directive must be updated according to your feature DFA. + + - The above "code-block" directive must be updated + - Fill in all the needed information in the <brackets> diff --git a/docs/features/lifecycle/safety_analysis/fmea.rst b/docs/features/lifecycle/safety_analysis/fmea.rst new file mode 100644 index 000000000..e40ebc35d --- /dev/null +++ b/docs/features/lifecycle/safety_analysis/fmea.rst @@ -0,0 +1,127 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +FMEA (Failure Modes and Effects Analysis) +========================================= + +.. document:: Lifecycle FMEA + :id: doc__lifecycle_fmea + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__feature_fmea + +.. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. + + +The FMEA for the feature Lifecycle is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the +following tables. For all applicable failure initiators, the FMEA has to be performed. + +Failure Mode List +----------------- + +.. list-table:: Fault Models for sequence diagrams + :header-rows: 1 + :widths: 10,20,10,20 + + * - ID + - Failure Mode + - Applicability + - Rationale + * - MF_01_01 + - message is not received (is a subset/more precise description of MF_01_05) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_02 + - message received too late (only relevant if delay is a realistic fault) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_03 + - message received too early (usually not a problem) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_04 + - message not received correctly by all recipients (different messages or messages partly lost). Only relevant if the same message goes to multiple recipients. + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_05 + - message is corrupted + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_06 + - message is not sent + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_07 + - message is unintended sent + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - CO_01_01 + - minimum constraint boundary is violated + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - CO_01_02 + - maximum constraint boundary is violated + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_01 + - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature. + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_02 + - processing too slow (only relevant if timing is considered) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_03 + - processing too fast (only relevant if timing is considered) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_04 + - loss of execution + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_05 + - processing changes to arbitrary process + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_06 + - processing is not complete (infinite loop) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + +FMEA +---- +For all identified applicable failure initiators, the FMEA is performed in the following section. + +.. code-block:: rst + + + .. feat_saf_fmea:: <Title> + :violates: <Feature architecture> + :id: feat_saf_fmea__<Feature>__<Element descriptor> + :fault_id: <ID from fault model :need:`gd_guidl__fault_models`> + :failure_effect: "description of failure effect of the fault model on the element" + :mitigated_by: <ID from Feature Requirement | ID from AoU Feature Requirement> + :mitigation_issue: <ID from Issue Tracker> + :sufficient: <yes|no> + :status: <valid|invalid> + + .. note:: Argument is inside the 'content'. Therefore content is mandatory. + +.. attention:: + The above directive must be updated according to your feature FMEA. + + - The above "code-block" directive must be updated + - Fill in all the needed information in the <brackets> diff --git a/docs/features/lifecycle/safety_planning/index.rst b/docs/features/lifecycle/safety_planning/index.rst new file mode 100644 index 000000000..fb4e44dfe --- /dev/null +++ b/docs/features/lifecycle/safety_planning/index.rst @@ -0,0 +1,144 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Feature Safety Work Products List +################################# + +.. document:: Lifecycle Safety WPs + :id: doc__lifecycle_safety_wp + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__platform_safety_plan + +Tailoring +========= + +Additional to the tailoring in the SW platform project as defined in the project's :need:`wp__platform_safety_plan` we define here the additional tailoring on feature level. + +- Excluded for this feature are additionally the following work products (and their related requirements): + + - <work product/requirement> - <Argumentation why it is not needed or replaced by another work product or activity.> + + +Safety Work products List +========================= + +.. list-table:: Feature Lifecycle Work products + :header-rows: 1 + + * - Work product Id + - Link to process + - Process status + - Link to WP + + * - :need:`wp__feat_request` + - :need:`gd_temp__change_feature_request` + - :ndf:`copy('status', need_id='gd_temp__change_feature_request')` + - :need:`doc__lifecycle` + + * - :need:`wp__requirements_feat` + - :need:`gd_temp__req_feat_req` + - :ndf:`copy('status', need_id='gd_temp__req_feat_req')` + - doc__lifecycle_requirements + + * - :need:`wp__requirements_feat_aou` + - :need:`gd_temp__req_aou_req` + - :ndf:`copy('status', need_id='gd_temp__req_aou_req')` + - :need:`doc__lifecycle_feat_aou` + + * - :need:`wp__feature_arch` + - :need:`gd_temp__arch_feature` + - :ndf:`copy('status', need_id='gd_temp__arch_feature')` + - :need:`doc__lifecycle_architecture` + + * - :need:`wp__feature_fmea` + - :need:`gd_temp__feat_saf_fmea` + - :ndf:`copy('status', need_id='gd_temp__feat_saf_fmea')` + - :need:`doc__lifecycle_fmea` + + * - :need:`wp__feature_dfa` + - :need:`gd_temp__feat_saf_dfa` + - :ndf:`copy('status', need_id='gd_temp__feat_saf_dfa')` + - :need:`doc__lifecycle_dfa` + + * - :need:`wp__requirements_inspect` + - :need:`gd_chklst__req_inspection` + - :ndf:`copy('status', need_id='gd_chklst__req_inspection')` + - doc__lifecycle_req_inspection + + * - :need:`wp__sw_arch_verification` + - :need:`gd_chklst__arch_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__arch_inspection_checklist')` + - :need:`doc__lifecycle_arc_inspection` + + * - :need:`wp__verification_feat_int_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + +.. attention:: + The above table must be updated according to your feature safety planning. + + - Fill the work products links + +Feature Safety Package +====================== + +To create the safety package (according to :need:`gd_guidl__saf_package`) the following +documents and work products status have to go to "valid" (after the relevant verification were performed). + +Feature Documents Status +------------------------ + +For all the work product documents the status can be seen by following the "Link to WP". +A summary of the status is also documented in the project's documentation management plan. + +See <add here the section reference to the documentation management plan> + +Feature Requirements Status +--------------------------- + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "requirements" in docname + :style: table + :types: feat_req + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title + +Feature AoU Status +------------------ + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "requirements" in docname + :style: table + :types: aou_req + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title + +Feature Architecture Status +--------------------------- + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "architecture" in docname + :style: table + :types: feat_arc_sta; feat_arc_dyn + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title diff --git a/docs/features/lifecycle/security_planning/index.rst b/docs/features/lifecycle/security_planning/index.rst new file mode 100644 index 000000000..b0bd1d004 --- /dev/null +++ b/docs/features/lifecycle/security_planning/index.rst @@ -0,0 +1,134 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Feature Security Work Products List +################################### + +.. document:: Lifecycle Security WPs + :id: doc__lifecycle_security_planning_wp + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__platform_security_plan + +Tailoring +========= + +Additional to the tailoring in the SW platform project as defined in the project's :need:`wp__platform_security_plan` we define here the additional tailoring on feature level. + +- Excluded for this feature are additionally the following work products (and their related requirements): + + - <work product/requirement> - <Argumentation why it is not needed or replaced by another work product or activity.> + + +Security Work products List +=========================== + +.. list-table:: Feature Lifecycle Work products + :header-rows: 1 + + * - Work product Id + - Link to process + - Process status + - Link to WP + + * - :need:`wp__feat_request` + - :need:`gd_temp__change_feature_request` + - :ndf:`copy('status', need_id='gd_temp__change_feature_request')` + - :need:`doc__lifecycle` + + * - :need:`wp__requirements_feat` + - :need:`gd_temp__req_feat_req` + - :ndf:`copy('status', need_id='gd_temp__req_feat_req')` + - doc__lifecycle_requirements + + * - :need:`wp__requirements_feat_aou` + - :need:`gd_temp__req_aou_req` + - :ndf:`copy('status', need_id='gd_temp__req_aou_req')` + - :need:`doc__lifecycle_feat_aou` + + * - :need:`wp__feature_arch` + - :need:`gd_temp__arch_feature` + - :ndf:`copy('status', need_id='gd_temp__arch_feature')` + - :need:`doc__lifecycle_architecture` + + * - :need:`wp__requirements_inspect` + - :need:`gd_chklst__req_inspection` + - :ndf:`copy('status', need_id='gd_chklst__req_inspection')` + - doc__lifecycle_req_inspection + + * - :need:`wp__sw_arch_verification` + - :need:`gd_chklst__arch_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__arch_inspection_checklist')` + - :need:`doc__lifecycle_arc_inspection` + + * - :need:`wp__verification_feat_int_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + +.. attention:: + The above table must be updated according to your feature security planning. + + - Fill the work producs links + +Feature Security Package +======================== + +To create the security package (according to :need:`gd_guidl__security_package`) the following +documents and work products status have to go to "valid" (after the relevant verification were performed). + +Feature Documents Status +------------------------ + +For all the work product documents the status can be seen by following the "Link to WP". +A summary of the status is also documented in the project's documentation management plan. + +See <add here the section reference to the documentation management plan> + +Feature Requirements Status +--------------------------- + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "requirements" in docname + :style: table + :types: feat_req + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title + +Feature AoU Status +------------------ + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "requirements" in docname + :style: table + :types: aou_req + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title + +Feature Architecture Status +--------------------------- + +.. needtable:: + :filter: docname is not None and "lifecycle" in docname and "architecture" in docname + :style: table + :types: feat_arc_sta; feat_arc_dyn + :tags: lifecycle + :columns: id;status + :colwidths: 25,25 + :sort: title diff --git a/docs/manuals/api_description/.gitkeep b/docs/manuals/api_description/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/docs/manuals/config/.gitkeep b/docs/manuals/config/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/docs/manuals/examples/.gitkeep b/docs/manuals/examples/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/docs/manuals/index.rst b/docs/manuals/index.rst new file mode 100644 index 000000000..3c905d73f --- /dev/null +++ b/docs/manuals/index.rst @@ -0,0 +1,23 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Manuals +####### + +.. toctree:: + :titlesonly: + + user_manual + safety_manual + security_manual diff --git a/docs/manuals/performance/.gitkeep b/docs/manuals/performance/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/docs/manuals/safety_manual.rst b/docs/manuals/safety_manual.rst new file mode 100644 index 000000000..df8c81826 --- /dev/null +++ b/docs/manuals/safety_manual.rst @@ -0,0 +1,98 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Safety Manual +============= + +.. document:: Lifecycle Safety Manual + :id: doc__lifecycle_safety_manual + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__module_safety_manual + +Introduction/Scope +------------------ +| <Describe here which module (or the platform) is covered by this manual.> + +Assumed Platform Safety Requirements +------------------------------------ +| For the <Project platform / module name> the following safety related stakeholder requirements are assumed to define the top level functionality (purpose) of the <Project platform / module name>. I.e. from these all the feature and component requirements implemented are derived. +| <List here all the stakeholder requirements, with safety not equal to QM, the module's components requirements are derived from. For the platform all are relevant.> + +Assumptions of Use +------------------ + +Assumptions on the Environment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +| Generally the assumption of the project platform SEooC is that it is integrated in a safe system, i.e. the POSIX OS it runs on is qualified and also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's safety concept. +| <List here all the OS calls the project platform resp. module expects to be safe.> + +List of AoUs expected from the environment the platform / module runs on: + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" in need["tags"] and "lifecycle" in need["tags"]: + results.append(need) + +.. attention:: + Make sure these AoU are here for a safety reason, i.e. every one "mitigates" a safety analysis entry. + +Assumptions on the User +^^^^^^^^^^^^^^^^^^^^^^^ +| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform SEooC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform SEooC safety package. +| Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways: +| 1. There are assumption which need to be fulfilled by all SW components, e.g. "every user of an IPC mechanism needs to make sure that he provides correct data (including appropriate ASIL level)" - in this case the AoU is marked as "platform". +| 2. There are assumption which can be fulfilled by a safety mechanism realized by some other project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module SEooC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe project platform persistency feature. + +List of AoUs on the user of the platform or the module of this safety manual: + +Note: Platform safety manual collects all platform wide AoU (have to be fulfilled by the user for any feature). +Module safety manual collects all AoUs specific to a feature and its realizing components. +This means for every feature the user selects, the platform safety manual and the related module manual has to be considered. + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" not in need["tags"] and "lifecycle" in need["tags"]: + results.append(need) + +.. attention:: + Make sure these AoU are here for a safety reason, i.e. every one "mitigates" a safety analysis entry. + +Safety concept of the SEooC +--------------------------- +| <Describe here the safety concept incl. which faults are taken care of, reactions of the implemented functions under anomalous operating conditions ... if this is not already documented sufficiently in the feature documentation "safety impact" section of all the features the module is used in.> + +Safety Anomalies +---------------- +| Anomalies (bugs in ASIL SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>. + +References +---------- +| <link to the user manual> +| <other links> diff --git a/docs/manuals/security_manual.rst b/docs/manuals/security_manual.rst new file mode 100644 index 000000000..8ae5bf379 --- /dev/null +++ b/docs/manuals/security_manual.rst @@ -0,0 +1,91 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Manual +=============== + +.. document:: Lifecycle Security Manual + :id: doc__lifecycle_security_manual + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__module_security_manual + + +Introduction/Scope +------------------ +| <Describe here which module (or the platform) is covered by this manual.> + +Assumed Platform Security Requirements +-------------------------------------- +| For the <Project platform / module name> the following security related stakeholder requirements are assumed to define the top level functionality (purpose) of the <Project platform / module name>. I.e. from these all the feature and component requirements implemented are derived. +| <List here all the stakeholder requirements, with security relevance, the module's components requirements are derived from.> + +Assumptions of Use +------------------ + +Assumptions on the Environment +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +| The platform and its components are developed as Out of Context (OoC) with assumptions on the environment. + It is assumed that the platform/components are integrated in a secure system, i.e. qualified POSIX OS. + Also the HW related failures are taken into account by the system integrator, if not otherwise stated in the module's security concept. +| <List here all the OS calls the Project platform expects to be secure.> + +List of AoUs expected from the environment the platform / module runs on: + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" in need["tags"] and "lifecycle" in need["tags"]: + results.append(need) + +Assumptions on the User +^^^^^^^^^^^^^^^^^^^^^^^ +| As there is no assumption on which specific OS and HW is used, the integration testing of the stakeholder and feature requirements is expected to be performed by the user of the platform OoC. Tests covering all stakeholder and feature requirements performed on a reference platform (tbd link to reference platform specification), reviewed and passed are included in the platform OoC security package. +| Additionally the components of the platform may have additional specific assumptions how they are used. These are part of every module documentation: <link to add>. Assumptions from components to their users can be fulfilled in two ways: +| 1. There are assumption which need to be fulfilled by all SW components, e.g. "every user of an IPC mechanism needs to make sure that he provides correct data (e.g. including appropriate security (access) control)" - in this case the AoU is marked as "platform". +| 2. There are assumption which can be fulfilled by a security control realized by some other Project platform component and are therefore not relevant for an user who uses the whole platform. But those are relevant if you chose to use the module OcC stand-alone - in this case the AoU is marked as "module". An example would be the "JSON read" which requires "The user shall provide a string as input which is not corrupted due to HW or QM SW errors." - which is covered when using together with safe <Project> platform persistency feature. + +List of AoUs on the user of the platform features or the module of this Security Manual: + +.. needtable:: + :style: table + :columns: title;id;status + :colwidths: 25,25,25 + :sort: title + + results = [] + + for need in needs.filter_types(["aou_req"]): + if need and "environment" not in need["tags"] and "lifecycle" in need["tags"]: + results.append(need) + +Security concept of the OoC +---------------------------- +| <Describe here the security concept incl. which attack paths are taken care of, reactions of the implemented functions under threatened operating conditions ... if this is not already documented sufficiently in the feature documentation "security impact" section of all the features the module is used in.> + +Security Weaknesses, Vulnerabilities +------------------------------------ +| Weaknesses, vulnerabilities (bugs in security relevant SW, detected by testing or by users, which could not be fixed) known before release are documented in the platform/module release notes <add link to release note>. + +References +---------- +| <link to the user manual> +| <other links> diff --git a/docs/manuals/user_manual.rst b/docs/manuals/user_manual.rst new file mode 100644 index 000000000..4239eddba --- /dev/null +++ b/docs/manuals/user_manual.rst @@ -0,0 +1,145 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _user_manual: + +User Manual +########### + +.. document:: User Manual Lifecycle + :id: doc__user_manual_lifecycle + :status: draft + :version: 1 + :safety: QM + :security: NO + :realizes: wp__training_path + + +Overview +======== + +This user manual provides comprehensive guidance for using the Lifecycle module from an end customer perspective. +It covers installation, configuration, basic usage, and best practices for integrating this module +into your project. + +.. note:: + This is a template user manual. Replace placeholder text with actual module-specific information. + +For build and test of the module itself, please refer to the :ref:`quick-start-building-testing`. + +Environment Needs +================= + +Basic needed software environment for the module development and usage: + +* **C++**: C++17 or later +* **Rust**: 1.70 or later (if Rust support is included) +* **Build System**: Bazel 6.0 or later +* **Operating Systems**: Linux, QNX + +Dependencies +------------ + +[List key external dependencies, licenses, and version requirements] + +**Example:** + +* Standard library (STL/Core) +* [Other required libraries] + +See also MODULE.bazel files for more details on dependencies. + +Module Configuration Details +============================= + +<A detailed explanation of the module configuration which can be done by end users, including the purpose and effects of the settings might be explained in the files in the config subdirectory.> + +Configuration Effects +--------------------- + +<Explain how the configuration settings affect the module's behavior, performance, and integration with other components. Include examples of typical configurations and their outcomes.> + + +Examples +======== + +<Useful examples and tutorials should be provided in the ``examples/`` directory. Link to specific examples here.> + +API Reference +============= + +For complete and detailed API documentation and descriptions, refer to the API documentation in the ``api_description/`` directory. + +Performance Considerations +========================== + +This section covers performance characteristics, optimization strategies, and resource requirements. +Refer to the ``performance/`` directory for detailed performance guides and benchmarks. + +Integration Guidelines +====================== + +Integrating with Your Project +------------------------------ + +1. Add the module to your Bazel workspace: + + .. code-block:: python + + # In your MODULE.bazel + bazel_dep(name = "module_template", version = "1.0") + +2. Reference in your build files: + + .. code-block:: python + + cc_library( + name = "my_target", + deps = ["@module_template//score/component_example:component"], + ) + +3. Include headers and compile your code + + +Version History, Compatibility, and Troubleshooting +=================================================== + +For comprehensive information on the following topics, refer to :doc:`/docs/release/index`: + +* Version history and changes +* Compatibility notes and upgrade instructions +* Known issues and limitations +* Troubleshooting tips and solutions +* Security vulnerabilities (CVEs) + +Safety and Security +=================== + +**Safety-Critical Usage**: If you are using this module in a safety-critical context, +please refer to :doc:`safety_manual` for detailed safety requirements and guidelines. + +**Security Considerations**: For information about security aspects and requirements, +please refer to :doc:`security_manual`. + +License +======= + +This module is licensed under the Apache License Version 2.0. +See the LICENSE file in the repository for full license text. + +Feedback and Contributions +========================== + +Your feedback and contributions are welcome! Please report issues or suggestions through the +project's issue tracker or contribute directly to the repository. diff --git a/docs/safety_mgt/index.rst b/docs/safety_mgt/index.rst new file mode 100644 index 000000000..87f2a1a0a --- /dev/null +++ b/docs/safety_mgt/index.rst @@ -0,0 +1,24 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Safety Management +################# + +.. toctree:: + :titlesonly: + + module_safety_plan + module_safety_plan_fdr + module_safety_package_fdr + module_safety_analysis_fdr diff --git a/docs/safety_mgt/module_safety_analysis_fdr.rst b/docs/safety_mgt/module_safety_analysis_fdr.rst new file mode 100644 index 000000000..bb94baa05 --- /dev/null +++ b/docs/safety_mgt/module_safety_analysis_fdr.rst @@ -0,0 +1,163 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +Safety Analysis Checklist +========================= + +.. document:: Lifecycle Safety Analysis Checklist + :id: doc__lifecycle_safety_analysis_fdr + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + + +**Purpose** + +The purpose of this Safety Analysis (DFA and FMEA) formal review report template is to collect the topics to be checked during verification of the Safety Analysis. + +**Conduct** + +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: **<committer with safety manager skills explicitly named here>** +- scope: **<describe the scope of the review here, e.g. "the safety analysis of the module and its results">** + +**Checklist** + +Please note that it is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additional to add in the remarks why it is passed or not passed. In case of "no" an issue link to the issue tracking system has to be added in the last column. See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + + +.. list-table:: General Checklist + :header-rows: 1 + :widths: 10,30,10,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - Gen 1 + - Are the safety analysis performed according to the defined process and templates? See :need:`gd_req__saf_structure` and also :need:`gd_temp__feat_saf_fmea` and :need:`gd_temp__feat_saf_dfa` + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_841>`, :need:`[[title]] <std_req__iso26262__analysis_849>`, :need:`[[title]] <std_req__iso26262__analysis_8410>`, :need:`[[title]] <std_req__iso26262__analysis_748>` + - <Rationale for result> + + * - Gen 2 + - Are the safety analysis performed in a systematic way to identify the potential dependent failures / failure modes and their effects? Are the failure effect and the mitigation described? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_849>`, :need:`[[title]] <std_req__iso26262__analysis_8410>` + - <Ensured and checked by application of the defined templates and processes> + + * - Gen 3 + - Is the result of the safety analysis indicate if the safety requirements are complied? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_842>` + - <Rationale for result> + + * - Gen 4 + - Are the mitigations effective and implemented? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_844>` + - <Rationale for result> + + * - Gen 5 + - Are all AoU's that are used as mitigation's created and covered in the safety manual? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_845>` + - <Rationale for result> + + * - Gen 6 + - Are additional safety-related test cases determined by potential results of the safety analyses? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_847>` + - <Rationale for result> + + +.. list-table:: DFA Checklist + :header-rows: 1 + :widths: 10,30,10,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - DFA 1 + - Are the potential dependent failures identified by performing a DFA? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_741>` + - <Rationale for result> + + * - DFA 2 + - Is it plausible that each potential identified dependent failure that has been identified, will lead to a dependent failure which cause a violation of FFI? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_742>` + - <Rationale for result> + + * - DFA 3 + - Are applicable operational situations and operating modes considered? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_743>` + - <Rationale for result> + + * - DFA 4 + - Are the failure initiators :need:`[[title]] <gd_guidl__dfa_failure_initiators>` suitable and applied? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_744>` + - <Rationale for result> + + * - DFA 5 + - Is a rationale provided for each identified potential dependent failure? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_745>` + - <Rationale for result> + + * - DFA 6 + - Are measures defined to resolve the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_746>`, :need:`[[title]] <std_req__iso26262__analysis_747>`, :need:`[[title]] <std_req__iso26262__analysis_843>` + - <Rationale for result> + + * - DFA 7 + - Can be the required level of independence shown for the identified potential dependent failures? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_748>` + - <Rationale for result> + + +.. list-table:: FMEA Checklist + :header-rows: 1 + :widths: 10,30,10,30,20 + + * - ID + - Safety analysis activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - FMEA 1 + - Are the fault models suitable and applied for the FMEA? See :need:`gd_guidl__fault_models` and also :need:`gd_req__saf_structure` + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_846>` + - <Rationale for result> + + * - FMEA 2 + - Are measures defined to resolve the identified faults? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__analysis_843>` + - <Rationale for result> diff --git a/docs/safety_mgt/module_safety_package_fdr.rst b/docs/safety_mgt/module_safety_package_fdr.rst new file mode 100644 index 000000000..c56023cb3 --- /dev/null +++ b/docs/safety_mgt/module_safety_package_fdr.rst @@ -0,0 +1,77 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Safety Package Formal Review Report +=================================== + +.. document:: Lifecycle Safety Package Formal Review + :id: doc__lifecycle_safety_package_fdr + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__fdr_reports + + +**Purpose** + +The purpose of this review checklist is to report status of the formal review for the safety package. + +**Conduct** +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: <committer with safety manager skills explicitly named here> + +**Checklist** + +See also the review concept for further information about reviews in general and inspection in particular. + +.. list-table:: Safety Package Checklist + :header-rows: 1 + + * - Id + - Safety package activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Is a safety package provided which matches the safety plan (i.e. all planned work products referenced)? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6481>` + - <Rationale for result> + + * - 2 + - Is the argument how functional safety is achieved, provided in the safety package, plausible and sufficient? + - NO + - :need:`[[title]] <std_req__iso26262__management_6481>` + - The argument is intentionally not provided by the project. + + * - 3 + - Are the referenced work products available? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6482>` + - <Rationale for result> + + * - 4 + - Are the referenced work products in released state, including the process safety audit? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6482>` + :need:`[[title]] <std_req__iso26262__management_6469>` + - <Rationale for result> + + * - 5 + - If safety related deviations from the process or safety concept are documented, are these argued understandably? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6481>` + - <Rationale for result> diff --git a/docs/safety_mgt/module_safety_plan.rst b/docs/safety_mgt/module_safety_plan.rst new file mode 100644 index 000000000..a48e8ae86 --- /dev/null +++ b/docs/safety_mgt/module_safety_plan.rst @@ -0,0 +1,368 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Safety Plan +*********** + +.. document:: Lifecycle Safety Plan + :id: doc__lifecycle_safety_plan + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__module_safety_plan + +:note: The module safety plan shall be continuously maintained during the project. + Deviations to the module safety plan should be documented :ref:`here <lifecycle_safety_package_deviations>` + +Functional Safety Management Context +==================================== + +This Safety Plan adds to the project's :need:`wp__platform_safety_plan` all the module development relevant work products needed for ISO 26262 conformity. + +Functional Safety Management Scope +================================== + +This Safety Plan's scope is a SW module of the `SW platform <https://eclipse-score.github.io/score/main/modules/index.html>`_. +The module consists of one or more SW components and will be qualified as a SEooC. + +Functional Safety Management Roles +================================== + +.. list-table:: Module roles + :header-rows: 1 + + * - Role + - Assignee + + * - Safety Manager + - <link to Module's Safety Manager assignment or name> + + * - Module Project Manager + - <link to Module's Project Manager assignment or name> + +Tailoring +========= + +Additional to the tailoring in the SW platform project as defined in the project's :need:`wp__platform_safety_plan` we define here the additional tailoring on module level. + +- Excluded for this module are additionally the following work products (and their related requirements): + + - <work product/requirement> - <Argumentation why it is not needed or replaced by another work product or activity.> + +Functional Safety Module Work products +====================================== + +One set of work products for the module and one set for each component of the module: + +Module Work products List +------------------------- + +.. list-table:: Module Work products + :header-rows: 1 + + * - Work product Id + - Link to process + - Process status + - Link to WP + + * - :need:`wp__module_safety_plan` + - :need:`gd_guidl__saf_plan_definitions` + - :ndf:`copy('status', need_id='gd_guidl__saf_plan_definitions')` + - this document + + * - :need:`wp__module_safety_package` + - :need:`gd_guidl__saf_package` + - :ndf:`copy('status', need_id='gd_guidl__saf_package')` + - this document (including the linked documentation) + + * - :need:`wp__fdr_reports` (module Safety Plan) + - :need:`gd_chklst__safety_plan` + - :ndf:`copy('status', need_id='gd_chklst__safety_plan')` + - :need:`doc__lifecycle_safety_plan_fdr` + + * - :need:`wp__fdr_reports` (module Safety Package) + - :need:`gd_chklst__safety_package` + - :ndf:`copy('status', need_id='gd_chklst__safety_package')` + - :need:`doc__lifecycle_safety_package_fdr` + + * - :need:`wp__fdr_reports` (module's Safety Analyses & DFA) + - :need:`gd_chklst__safety_analysis` + - :ndf:`copy('status', need_id='gd_chklst__safety_analysis')` + - :need:`doc__lifecycle_safety_analysis_fdr` + + * - :need:`wp__audit_report` + - performed by external experts + - n/a + - <Link to WP> + + * - :need:`wp__module_safety_manual` + - :need:`gd_temp__safety_manual` + - :ndf:`copy('status', need_id='gd_temp__safety_manual')` + - :need:`doc__lifecycle_safety_manual` + + * - :need:`wp__verification_module_ver_report` + - :need:`gd_temp__mod_ver_report` + - :ndf:`copy('status', need_id='gd_temp__mod_ver_report')` + - :ref:`life_statistics` + + * - :need:`wp__module_sw_release_note` + - :need:`gd_temp__rel_mod_rel_note` + - :ndf:`copy('status', need_id='gd_temp__rel_mod_rel_note')` + - :need:`doc__lifecycle_release_note` + +Component Health Monitor Work products List +------------------------------------------- + +.. list-table:: Component Health Monitor Work products + :header-rows: 1 + + * - Work product Id + - Link to process + - Process status + - Link to WP + + * - :need:`wp__requirements_comp` + - :need:`gd_temp__req_comp_req` + - :ndf:`copy('status', need_id='gd_temp__req_comp_req')` + - :need:`doc__health_monitor_requirements` + + * - :need:`wp__requirements_comp_aou` + - :need:`gd_temp__req_aou_req` + - :ndf:`copy('status', need_id='gd_temp__req_aou_req')` + - :need:`doc__health_monitor_requirements` + + * - :need:`wp__requirements_inspect` + - :need:`gd_chklst__req_inspection` + - :ndf:`copy('status', need_id='gd_chklst__req_inspection')` + - :need:`doc__health_monitor_req_inspection` + + * - :need:`wp__component_arch` + - :need:`gd_temp__arch_comp` + - :ndf:`copy('status', need_id='gd_temp__arch_comp')` + - :need:`doc__health_monitor_architecture` + + * - :need:`wp__sw_arch_verification` + - :need:`gd_chklst__arch_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__arch_inspection_checklist')` + - :need:`doc__health_monitor_arc_inspection` + + * - :need:`wp__sw_component_fmea` + - :need:`gd_temp__comp_saf_fmea` + - :ndf:`copy('status', need_id='gd_temp__comp_saf_fmea')` + - :need:`doc__health_monitor_fmea` + + * - :need:`wp__sw_component_dfa` + - :need:`gd_temp__comp_saf_dfa` + - :ndf:`copy('status', need_id='gd_temp__comp_saf_dfa')` + - :need:`doc__health_monitor_dfa` + + * - :need:`wp__sw_implementation` + - :need:`gd_guidl__implementation` + - :ndf:`copy('status', need_id='gd_guidl__implementation')` + - :need:`doc__health_monitor_detailed_design` & <Link to code> + + * - :need:`wp__verification_sw_unit_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + + * - :need:`wp__sw_implementation_inspection` + - :need:`gd_chklst__impl_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__impl_inspection_checklist')` + - :need:`doc__health_monitor_impl_inspection` + + * - :need:`wp__verification_comp_int_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + +Component Launch Manager Work products List +------------------------------------------- + +.. list-table:: Component Launch Manager Work products + :header-rows: 1 + + * - Work product Id + - Link to process + - Process status + - Link to WP + + * - :need:`wp__requirements_comp` + - :need:`gd_temp__req_comp_req` + - :ndf:`copy('status', need_id='gd_temp__req_comp_req')` + - :need:`doc__launch_manager_requirements` + + * - :need:`wp__requirements_comp_aou` + - :need:`gd_temp__req_aou_req` + - :ndf:`copy('status', need_id='gd_temp__req_aou_req')` + - :need:`doc__launch_manager_requirements` + + * - :need:`wp__requirements_inspect` + - :need:`gd_chklst__req_inspection` + - :ndf:`copy('status', need_id='gd_chklst__req_inspection')` + - :need:`doc__launch_manager_req_inspection` + + * - :need:`wp__component_arch` + - :need:`gd_temp__arch_comp` + - :ndf:`copy('status', need_id='gd_temp__arch_comp')` + - :need:`doc__launch_manager_architecture` + + * - :need:`wp__sw_arch_verification` + - :need:`gd_chklst__arch_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__arch_inspection_checklist')` + - :need:`doc__launch_manager_arc_inspection` + + * - :need:`wp__sw_component_fmea` + - :need:`gd_temp__comp_saf_fmea` + - :ndf:`copy('status', need_id='gd_temp__comp_saf_fmea')` + - :need:`doc__launch_manager_fmea` + + * - :need:`wp__sw_component_dfa` + - :need:`gd_temp__comp_saf_dfa` + - :ndf:`copy('status', need_id='gd_temp__comp_saf_dfa')` + - :need:`doc__launch_manager_dfa` + + * - :need:`wp__sw_implementation` + - :need:`gd_guidl__implementation` + - :ndf:`copy('status', need_id='gd_guidl__implementation')` + - :need:`doc__launch_manager_detailed_design` & <Link to code> + + * - :need:`wp__verification_sw_unit_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + + * - :need:`wp__sw_implementation_inspection` + - :need:`gd_chklst__impl_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__impl_inspection_checklist')` + - :need:`doc__launch_manager_impl_inspection` + + * - :need:`wp__verification_comp_int_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - <Link to WP> + +Link to project planning +------------------------ + +`Lifecycle & Health Feature Team Planning <https://github.com/orgs/eclipse-score/projects/33>`_ + +Module Safety Package +===================== + +To create the safety package (according to :need:`gd_guidl__saf_package`) the following +documents and work products status have to go to "valid" (after the relevant verification were performed). + +Module Documents Status +----------------------- + +For all the work product documents the status can be seen by following the "Link to WP". +A summary of the status is also documented in the project's documentation management plan. + +See <add here the section reference to the documentation management plan> + +Component Documents Status +-------------------------- + +For all the work product documents the status can be seen by following the "Link to WP". +A summary of the status is also documented in the project's documentation management plan. + +See <add here the section reference to the documentation management plan> + +Component Requirements Status +----------------------------- + +health_monitor: + +.. needtable:: + :filter: docname is not None and "health_monitor" in docname and "requirements" in docname + :style: table + :types: comp_req + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +launch_manager: + +.. needtable:: + :filter: docname is not None and "launch_manager" in docname and "requirements" in docname + :style: table + :types: comp_req + :tags: launch_manager + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +Component AoU Status +-------------------- + +health_monitor: + +.. needtable:: + :filter: docname is not None and "health_monitor" in docname and "requirements" in docname + :style: table + :types: aou_req + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +launch_manager: + +.. needtable:: + :filter: docname is not None and "launch_manager" in docname and "requirements" in docname + :style: table + :types: aou_req + :tags: launch_manager + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +Component Architecture Status +----------------------------- + +health_monitor: + +.. needtable:: + :filter: docname is not None and "health_monitor" in docname and "architecture" in docname + :style: table + :types: comp_arc_sta; comp_arc_dyn + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +launch_manager: + +.. needtable:: + :filter: docname is not None and "launch_manager" in docname and "architecture" in docname + :style: table + :types: comp_arc_sta; comp_arc_dyn + :tags: launch_manager + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +.. _lifecycle_safety_package_deviations: + +Deviations from Module Safety Plan +---------------------------------- + +The following deviations from the module safety plan are present in the module safety package. +These are deviations from planned processes execution and/or workproduct results, +safety anomalies in the sense of known bugs in the software are reported in the release notes. + +<Describe here the deviations, whether they have an impact on module's safety functions, +how these can be mitigated or argued and if and when a resolution is planned.> diff --git a/docs/safety_mgt/module_safety_plan_fdr.rst b/docs/safety_mgt/module_safety_plan_fdr.rst new file mode 100644 index 000000000..ebecc0e55 --- /dev/null +++ b/docs/safety_mgt/module_safety_plan_fdr.rst @@ -0,0 +1,117 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Safety Plan Formal Review Report +================================ + +.. document:: Lifecycle Safety Plan Formal Review + :id: doc__lifecycle_safety_plan_fdr + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__fdr_reports + +**Purpose** + +The purpose of this safety plan formal review checklist is to report status of the review for the safety plan. + +**Conduct** +As described in :need:`wf__p_formal_rv`, the formal document review is performed by an "external" safety manager: + +- reviewer: <committer with safety manager skills explicitly named here> + +**Checklist** + +See also the review concept for further information about reviews in general and inspection in particular. + +.. list-table:: Safety Plan Checklist + :header-rows: 1 + + * - Id + - Safety plan activity + - Compliant to ISO 26262? + - Reference + - Comment + + * - 1 + - Is the rationale for the safety work products tailoring included? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6451>` + :need:`[[title]] <std_req__iso26262__management_6455>` + :need:`[[title]] <std_req__iso26262__management_6457>` + :need:`[[title]] <std_req__iso26262__management_6467>` + - <Rationale for result> + + * - 2 + - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6452>` + - <Rationale for result> + + * - 3 + - Does the safety plan define all needed activities for safety management (incl. formal document review and Safety Audit)? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6465>` + :need:`[[title]] <std_req__iso26262__management_6491>` + :need:`[[title]] <std_req__iso26262__management_64111>` + - <Rationale for result> + + * - 4 + - Does the safety plan define all needed activities for System and SW development, integration and verification? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6465>` + - <Rationale for result> + + * - 5 + - Does the safety plan define all needed activities for safety analysis and DFA? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6465>` + - <Rationale for result> + + * - 6 + - Does the safety plan define all needed activities for supporting processes (incl. tool mgt)? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6465>` + - <Rationale for result> + + * - 7 + - Does the safety plan document a responsible for all activities? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6463>` + - <Rationale for result> + + * - 8 + - If OSS software components is used, is it planned to be qualified? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6455>` + - <Rationale for result> + + * - 9 + - Is a safety manager and a project manager appointed for the project? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6461>` + :need:`[[title]] <std_req__iso26262__management_6462>` + - <Rationale for result> + + * - 10 + - Is safety plan sufficiently linked to the project plan? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6464>` + - <Rationale for result> + + * - 11 + - Is safety plan updated iteratively to show the progress? + - [YES | NO ] + - :need:`[[title]] <std_req__iso26262__management_6468>` + - <Rationale for result> diff --git a/docs/security_mgt/index.rst b/docs/security_mgt/index.rst new file mode 100644 index 000000000..4d292cc5d --- /dev/null +++ b/docs/security_mgt/index.rst @@ -0,0 +1,23 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Management +################### + +.. toctree:: + :titlesonly: + + module_security_plan + module_security_plan_fdr + module_security_package_fdr diff --git a/docs/security_mgt/module_security_package_fdr.rst b/docs/security_mgt/module_security_package_fdr.rst new file mode 100644 index 000000000..2b1e8a355 --- /dev/null +++ b/docs/security_mgt/module_security_package_fdr.rst @@ -0,0 +1,70 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Package Formal Review Report +===================================== + +.. document:: Lifcycle Security Package Formal Review + :id: doc__lifecycle_sec_pkg_fdr + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + + +**1. Purpose** + +The purpose of this review checklist is to report status of the formal review for the Security Package. + +**2. Checklist** + +See also the review concept for further information about reviews in general and inspection in particular. + +.. list-table:: Security Package Checklist + :header-rows: 1 + + * - Id + - Security Package activity + - Compliant to ISO SAE 21434? + - Comment + + * - 1 + - Is a Security Package provided which matches the Security Plan (i.e. all planned work products referenced)? + - [YES | NO ] + - <Rationale for result> + + * - 2 + - Is the argument how security is achieved, provided in the Security Package, plausible and sufficient? + - NO + - The argument is intentionally not provided by the Project. + + * - 3 + - Are the referenced work products available? + - [YES | NO ] + - <Rationale for result> + + * - 4 + - Are the referenced work products in released state, including the Process Security Audit? + - NO + - Security Audit is currently not planned, tailored out. + + * - 5 + - If security related deviations from the process or security concept are documented, are these argued understandably? + - [YES | NO ] + - <Rationale for result> + + * - 6 + - Are the requirements for post-development available? + - [YES | NO ] + - <Rationale for result> diff --git a/docs/security_mgt/module_security_plan.rst b/docs/security_mgt/module_security_plan.rst new file mode 100644 index 000000000..579a6d8ac --- /dev/null +++ b/docs/security_mgt/module_security_plan.rst @@ -0,0 +1,211 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Plan +============= + +.. note:: Document header + +.. document:: Lifecycle Security Plan + :id: doc__lifecycle_security_plan + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__module_security_plan + + + | **1. Security Management Context** + | This Security Plan adds to the process security management guidance all the module development relevant work products needed for ISO SAE 21434 conformity. + | + | **2. Security Management Scope** + | This Security Plan's scope is a SW module of the SW platform <link to module documentation in platform/modules/<modulename>/index.rst>. + | The module consists of one or more SW components and will be qualified as a OoC. + | + | **3. Security Management Roles** + + +---------------------------+--------------------------------------------------------------+ + | Security Manager | <link to Module's Security Manager assignment or name> | + +---------------------------+--------------------------------------------------------------+ + | Project Manager | <link to Module's Project Lead assignment or name> | + +---------------------------+--------------------------------------------------------------+ + + | **4. Tailoring** + | Additional to the tailoring in the SW platform project as defined in the process security management guidance we define here the additional tailoring on module level. + | + | - Excluded for this module are additionally the following work products (and their related requirements): + | - <ISO SAE 21434 reference>: <work product/requirement> - <Argumentation why it is not needed or replaced by another work product or activity.> + | + | **5. Security Module Work Products** + | One set of work products for the module and one set for each component of the module: + +.. list-table:: Module Work Products + :header-rows: 1 + + * - Work Product Id + - Link to process + - Process status + - Link to issue + - Link to WP + - WP status + + * - :need:`wp__module_security_plan` + - Security management guideline + - <automated> + - <Link to issue> + - this document + - see above + + * - :need:`wp__module_security_package` + - Security management guideline + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__fdr_reports` (Module Security Plan) + - :need:`gd_chklst__security_plan` + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__fdr_reports` (Module Security Package) + - :need:`Security Package Formal Review Checklist <gd_chklst__security_package>` + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__fdr_reports` (Module's Security Analyses) + - Security Analysis FDR tbd + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__audit_report_security` + - performed by external experts + - n/a + - <Link to issue> + - <Link to WP> + - <WP status (manual)> + + * - :need:`wp__module_security_manual` + - :need:`gd_temp__module_security_manual` + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__verification_module_ver_report` + - Verification process guidance + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__module_sw_release_note` + - Release management guidance + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__sw_module_sbom` + - Security management guidance + - not started + - <Link to issue> + - <Link to WP> + - <automated> + + +.. list-table:: Component <name> Work Products + :header-rows: 1 + + * - Work Product Id + - Link to process + - Process status + - Link to issue + - Link to WP + - WP status + + * - :need:`wp__requirements_comp` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__requirements_comp_aou` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__requirements_inspect` + - <Link to process> + - <automated> + - n/a + - Checklist used in Pull Request Review + - n/a + + * - :need:`wp__component_arch` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__sw_component_security_analysis` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__sw_arch_verification` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__sw_implementation` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__verification_sw_unit_test` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__sw_implementation_inspection` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> + + * - :need:`wp__verification_comp_int_test` + - <Link to process> + - <automated> + - <Link to issue> + - <Link to WP> + - <automated> diff --git a/docs/security_mgt/module_security_plan_fdr.rst b/docs/security_mgt/module_security_plan_fdr.rst new file mode 100644 index 000000000..a98042837 --- /dev/null +++ b/docs/security_mgt/module_security_plan_fdr.rst @@ -0,0 +1,114 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Plan Formal Review Report +================================== + +.. document:: Lifecycle Security Plan Formal Review + :id: doc__lifecycle_security_plan_fdr + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + + +**1. Purpose** + +The purpose of this review checklist is to provide a guidence for reviewing the Security Plans for each module. +Each Module Security Plan shall have one checklist filled. + +**2. Checklist** + +See also the review concept for further information about reviews in general and inspection in particular. + +.. list-table:: Security Plan Checklist + :header-rows: 1 + + * - Id + - Security Plan activity + - Compliant to ISO SAE 21434? + - Comment + + * - 1 + - Is the rationale for the Security Work Products tailoring included? + - [YES | NO ] + - <Rationale for result> + + * - 2 + - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? + - [YES | NO ] + - <Rationale for result> + + * - 3 + - Does the Security Plan define all needed activities for security management (including review and security audit)? + - [YES | NO ] + - <Rationale for result> + + * - 4 + - Does the Security Plan define all needed activities for SW development, integration and verification? + - [YES | NO ] + - <Rationale for result> + + * - 5 + - Does the Security Plan define all needed activities for security analysis? + - [YES | NO ] + - <Rationale for result> + + * - 6 + - Does the Security Plan define all needed activities for supporting processes (incl. tool mgt)? + - [YES | NO ] + - <Rationale for result> + + * - 7 + - Does the Security Plan document a responsible for all activities? + - [YES | NO ] + - <Rationale for result> + + * - 8 + - If OSS software components is used, is it planned to be qualified? + - [YES | NO ] + - <Rationale for result> + + * - 9 + - Is a Security Manager and a Project Lead appointed for the project? + - [YES | NO ] + - <Rationale for result> + + * - 10 + - Is Security Plan sufficiently linked to the Project Plan? + - [YES | NO ] + - <Rationale for result> + + * - 11 + - Is Security Plan updated iteratively to show the progress? + - [YES | NO ] + - <Rationale for result> + + * - 12 + - If Out-of-context software components is used, are the assumptions documented? + - [YES | NO ] + - <Rationale for result> + + * - 13 + - Does the Security Plan define all needed activities for SBOM generation? + - [YES | NO ] + - <Rationale for result> + + * - 14 + - Does the Security Plan define regular vulnerability scans for the generated SBOM? + - [YES | NO ] + - <Rationale for result> + +.. note:: + Off-the-shelf means existing software which may used without modification, e.g. existing OSS diff --git a/index.rst b/index.rst index 167e5a539..c34ccf4dc 100644 --- a/index.rst +++ b/index.rst @@ -21,6 +21,10 @@ Module / Feature Documentation .. toctree:: :maxdepth: 1 + docs/features/index + docs/manuals/index + docs/safety_mgt/index + docs/security_mgt/index docs/release/index docs/verification_report/statistics @@ -33,3 +37,32 @@ Component documentation score/launch_manager/docs/index score/health_monitor/docs/index + +.. _quick-start-building-testing: + +Quick Start - Building and Testing +================================== + +To build the entire module: + +.. code-block:: bash + + bazel build //src/... + +To run all tests: + +.. code-block:: bash + + bazel test //... + +To run only unit tests: + +.. code-block:: bash + + bazel test //src/... + +To run only component or feature integration tests: + +.. code-block:: bash + + bazel test //tests/... \ No newline at end of file diff --git a/score/health_monitor/docs/architecture/chklst_arc_inspection.rst b/score/health_monitor/docs/architecture/chklst_arc_inspection.rst new file mode 100644 index 000000000..06209acf7 --- /dev/null +++ b/score/health_monitor/docs/architecture/chklst_arc_inspection.rst @@ -0,0 +1,202 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +.. document:: Health Monitor Architecture Inspection Checklist + :id: doc__health_monitor_arc_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__sw_arch_verification + + +Architecture Inspection Checklist +================================= + +Purpose +------- + +The purpose of the software architecture checklist is to ensure that the design meets the criteria and quality as +defined per project processes and guidelines for feature and component architectural design elements. +It helps to check the compliance with requirements, identify errors or inconsistencies, and ensure adherence to best +practices. +The checklist guides evaluation of the architecture design, identifies potential problems, and aids in +communication and documentation of architectural decisions to stakeholders. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Architecture Design Review Checklist + :header-rows: 1 + + * - Review Id + - Acceptance criteria + - Guidance + - passed + - Remarks + - Issue link + * - ARC_01_01 + - Is the traceability from software architectural elements to requirements, and other level architectural elements (e.g. component to interface) established according to the "Relations between the architectural elements" as described in :need:`doc_concept__arch_process`? + - Trace should be checked automatically by tool support in the future. Will be removed from the checklist once the requirement (:need:`Correlations of the architectural building blocks <gd_req__arch_build_blocks_corr>`) is implemented. Refer to `Tool Requirements <https://eclipse-score.github.io/docs-as-code/main/internals/requirements/requirements.html>`_ for the current status. + - + - + - + * - ARC_01_02 + - Does the software architecture design consider all the requirements allocated or belonging to the architectural element, including functional, non-functional, safety, and security requirements and all related design decisions? + - Check if all requirements allocated or belonging to the architectural element are considered in the design. This includes functional requirements (e.g. functional safety requirements), non-functional requirements (e.g. performance, reliability), and security requirements (e.g. confidentiality, integrity). Additionally, ensure that all related design decisions are taken into account and documented in the architectural design. + - + - + - + * - ARC_01_03 + - If the architectural element is related to any supplier manuals (incl. safety and security) + are the relevant parts covered? + - If the architecture makes use of supplied elements, their manuals (like safety) have to be considered (i.e. its provided functionality matches the expectation and assumptions are fulfilled). Note that in case of safety component this means that assumed Technical Safety Requirements and AoUs of the safety manual are covered. + - + - + - + * - ARC_01_04 + - Is the architectural element traceable to the lower level artifacts as defined by the workproduct traceability? + - Will be removed from checklist once the requirement (:need:`Correlations of the architectural building blocks <gd_req__arch_build_blocks_corr>`) is implemented by automated tool check. See `Tool Requirements <https://eclipse-score.github.io/docs-as-code/main/internals/requirements/requirements.html>`_. + Details of possible linking can be depicted from the traceability concept. + - + - + - + * - ARC_02_01 + - Is the software architecture design compliant with the (overall) feature architecture? + - On component level check against the feature architecture, on feature level check other features with common components used. + - + - + - + * - ARC_02_02 + - Is appropriate and comprehensible operation/interface naming present in the architectural design? + - Check :need:`gd_guidl__arch_design` + - + - + - + * - ARC_02_03 + - Are correctness of data flow and control flow within the architectural elements considered? + - E.g. examine definitions, transformations, integrity, and interaction of data; check error handling, data + exchange between elements, correct response to inputs and documented decision making. + Note: consistency is ensured by the process/tooling, by defining each interface only once. + - + - + - + * - ARC_02_04 + - Are the interfaces between the software architectural element and other architectural elements well-defined? + - Check if the interface reacts on non-defined behaviour or errors; can established protocols be used; are the + interfaces for inputs, outputs, error codes documented; is loose coupling considered and only limited exposure; + can unit or integration test be written against the interface; data amount transferred; no sensitive data + exposure; + - + - + - + * - ARC_02_05 + - Does the software architectural element consider the timing constraints (from the parent requirement)? + - If there are hard requirements on the timing a programming time estimation should be performed and also + deadline supervision considered. + - + - + - + * - ARC_02_06 + - Is the documentation of the software architectural element, including textual and graphical descriptions + (e.g., UML diagrams), comprehensible and complete? + - Use of semi-formal notation is expected for architectural elements with an allocated ASIL level. + Is the architecture template correctly filled? + - + - + - + * - ARC_03_01 + - Is the architectural element modular and encapsulated? + - Check e.g. that only minimal interfaces are used. Design should be object oriented. Interfaces and interactions are clearly defined. Usage of access types (private, protected) properly set. Limited global variables. + - + - + - + * - ARC_03_02 + - Is the suitability of the software architecture for future modifications and maintainability considered? + - Check for e.g. loose coupling, separation of concerns, high cohesion, versioning strategy for interfaces, + decision records, use of established design patterns. + - + - + - + * - ARC_03_03 + - Are simplicity and avoidance of unnecessary complexity present in the software architecture and the component? + - Indicators for complexity are: number of use cases (corresponding to dynamic diagrams) + allocated to single design element, number of interfaces and operations in an interface, + function parameters, global variables, complex types, limited comprehensibility. + The belonging code metrics should be checked. + + Notes: + + If the "number of use cases" or "number of interfaces" above exceeds "3" or "number of function parameters" exceeds "5" or the "number of operations" exceeds "20" or global variables are used, a design rationale is mandatory. + + See also if component classification :need:`gd_temp__component_classification` as measure is present. + + - + - + - + * - ARC_03_04 + - Is the software architecture design following best practices and design principles? + - Refer to architectural guidelines and recommendations within the project documentation. + - + - + - + * - ARC_04_03 + - If your software architectural design of the component includes processes and tasks, are their scheduling policies and priorities (at least the needed relation one to another) defined to ensure that timing requirements are met? Please note, that the particular priorities or priority ranges will be probably defined by the project handbook or the software development plan. + + Note: see :need:`std_req__iso26262__software_743` + - Give a reason for these scheduling policies and priorities or explain why not needed. + - + - + - + + +.. attention:: + The above checklist entries must be filled according to your component architecture in scope. + +Note: If a Review ID is not applicable for your architecture, then state ""n/a" in status and comment accordingly in remarks. + +The following static views in "valid" state and with "inspected" tag set are in the scope of this inspection: + +.. needtable:: + :filter: "health_monitor" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: comp_arc_sta + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +and the following dynamic views: + +.. needtable:: + :filter: "health_monitor" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: comp_arc_dyn + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title diff --git a/score/health_monitor/docs/component_classification.rst b/score/health_monitor/docs/component_classification.rst deleted file mode 100644 index f8852f780..000000000 --- a/score/health_monitor/docs/component_classification.rst +++ /dev/null @@ -1,196 +0,0 @@ -.. - # ******************************************************************************* - # Copyright (c) 2025 Contributors to the Eclipse Foundation - # - # See the NOTICE file(s) distributed with this work for additional - # information regarding copyright ownership. - # - # This program and the accompanying materials are made available under the - # terms of the Apache License Version 2.0 which is available at - # https://www.apache.org/licenses/LICENSE-2.0 - # - # SPDX-License-Identifier: Apache-2.0 - # ******************************************************************************* - -Component Classification -======================== - -.. note:: Document header - -.. document:: Health Monitor Component Classification - :id: doc__health_monitor_comp_class - :status: draft - :safety: ASIL_B - :security: NO - :realizes: wp__sw_component_class - :tags: template - -.. attention:: - The above directive must be updated according to your Component. - - - Modify ``Your Component Name`` to be your Component Name - - Modify ``id`` to be your Component Name in upper snake case preceded by ``doc__`` - - Adjust ``status`` to be ``valid`` - - Adjust ``safety`` and ``tags`` according to your needs - -| Classification of <component> -| -| <Link to OSS component source (e.g. in github) including the selected version> -| -| Additional documentation considered: -| <list of documentation links> - - -Step 1: Determine (P): the uncertainty of the Processes applied ---------------------------------------------------------------- - -| Apply the process measures to determine (P). -| The result of a process measure shall have as outcome [HE, PE, NE] -| - HE: High Evidence -| - PE: Partly Evidence but Manageable -| - NE: No Evidence - -.. list-table:: Determine (P) - :header-rows: 1 - - * - Id - - Indicator for applying process - - Result - - Rationale for result - - * - 1 - - Are rules, state-of-the art processes applied for the design, implementation and verification? - - <HE|PE|NE> - - <Rationale for result> - - * - 2 - - Are requirements available? - - <HE|PE|NE> - - <Rationale for result> - - * - 3 - - Are specifications for functionalities and properties available (architecture)? - - <HE|PE|NE> - - <Rationale for result> - - * - 4 - - Are design specifications available? - - <HE|PE|NE> - - <Rationale for result> - - * - 5 - - Are configuration specification and data available, if applicable? - - <HE|PE|NE> - - <Rationale for result> - - * - 6 - - Are verification measures including tests and reports available? - - <HE|PE|NE> - - <Rationale for result> - - -| (P=1) shall be selected when none of the determined process measures indicate PE or NE. -| (P=2) shall be selected when at least one of the determined process measures indicate PE or NE, but the gaps evaluated are acceptable, means -| the risk of systematic faults due to these gaps is sufficiently low or manageable by mitigating the gaps. -| (P=3) in all other cases. - -<component name> is determined as P=<1|2|3> - - -Step 2: Determine (C): the uncertainty of finding systematic faults based on the Complexity -------------------------------------------------------------------------------------------- - -| Apply the complexity measures to determine (C). -| The result of a complexity measure shall have as outcome [NH, HM, NM] -| - NH: Not High -| - HM: High but Manageable -| - NM: high and Not Manageable -| -| **Complexity measure for programming language: <C++ or RUST>** - -<select the correct table below (table for C++ is TBD)> - -.. list-table:: Determine (C) for RUST - :header-rows: 1 - - * - Id - - Indicator for high Complexity - - Complexity measure Tool - - Result - - Number - - * - 1 - - High amount of Lines of Code - - Lines of Code (without comments) (generated code is excluded, e.g. ProtoCmpl) - - <NH|HM|NM> - - <Number> - - * - 2 - - Unsafe code used / total unsafe code - - Count: - * LoUC+N: lines of unsafe code with safety note - * LoUC : lines of unsafe code, no safety note - - <NH|HM|NM> - - <Number> - - * - 3 - - | Test exists / Coverage (Function, Line) - | (maybe better: testability, but how to measure?) - - Existing Tests Coverage - - <NH|HM|NM> - - <Number> - - * - 4 - - High amount of public function interfaces - - Number of public function interfaces - - <NH|HM|NM> - - <RNumber> - - * - 5 - - High amount of function parameters - - Number of parameters - - <NH|HM|NM> - - <Number> - - -| (C=1) shall be selected when none of the determined complexity measures indicate HM or NM. -| (C=2) shall be selected when at least one of the determined complexity measures indicate HM or NM, but the gaps evaluated are acceptable, means -| the risk of systematic faults due to these gaps is sufficiently low in the context of the project or manageable by mitigating the gaps. -| (C=3) in all other cases. -| - -<component name> is determined as C=<1|2|3> - - -Step 3: Determine (CLAS_OUT): the classification outcome --------------------------------------------------------- - -| Select CLAS_OUT depending on the determined values of (C) and (P) - -+-------+-----------------------+ -| ( C ) | ( P ) | -+-------+-------+-------+-------+ -| | 1 | 2 | 3 | -+=======+=======+=======+=======+ -| 1 | Q | Q | QR | -+-------+-------+-------+-------+ -| 2 | QR | QR | QR | -+-------+-------+-------+-------+ -| 3 | QR | QR | NQ | -+-------+-------+-------+-------+ - -<component name> is classified as CLAS_OUT=<Q|QR|NQ> - - -Step 4: Document all results and rationale for choosing (P) and (C) and (CLAS_OUT) ----------------------------------------------------------------------------------- -This document - - -Step 5: Based on (CLAS_OUT) select the activities -------------------------------------------------- - -| As soon as the change request containing this is in status "Accepted", the module safety plan for the component development is adapted based on the following: (select according to above result) -| - Q: Follow the processes for qualification of software components in a safety context. -| - QR: Follow the process for pre-existing software architectural elements -| - NQ: Do no use this element in safety context diff --git a/score/health_monitor/docs/detailed_design/chklst_impl_inspection.rst b/score/health_monitor/docs/detailed_design/chklst_impl_inspection.rst new file mode 100644 index 000000000..f7195d6b8 --- /dev/null +++ b/score/health_monitor/docs/detailed_design/chklst_impl_inspection.rst @@ -0,0 +1,115 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. document:: Health Monitor Implementation Inspection Checklist + :id: doc__health_monitor_impl_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__sw_implementation_inspection + + +Implementation Inspection Checklist +=================================== + +Purpose +------- + +The purpose of this checklist is to collect the topics to be checked during implementation, +i.e. in the detailed design and the source code of the units. + +The checklist shall be agnostic to which programming language is used. Differences shall be treated +by linking to C++ or Rust specific documentation. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Implementation Checklist + :header-rows: 1 + :widths: 10,30,50,6,6,8 + + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - IMPL_01_01 + - Is the design according to guidelines? + - see :need:`gd_temp__detailed_design` and :need:`doc_concept__imp_concept` + (e.g. are the views done with the proposed UML diagrams) + - + - + - + * - IMPL_01_02 + - Is the implementation according to specification? + - Check if the linked component requirements are fulfilled + and detailed design also matches architecture description. + - + - + - + * - IMPL_01_03 + - Are the design decisions and constraints documented? + - Check also for plausibility of these. + - + - + - + * - IMPL_01_04 + - Are all external libraries used by the component specified in the detailed design? + - Check the automated dependency analysis. + Also make sure ASIL rated units also only use ASIL rated libraries. + - + - + - + * - IMPL_02_01 + - Are the static and dynamic code analysis reports verified for violations? + - All violations in ASIL related code must be justified. This includes the checks of coding guidelines. + - + - + - + * - IMPL_02_02 + - Do manual checks, that are derived from the coding guideline, find no safety critical error? + - Check this for the programming language used (e.g. C++ <link_to_checks_list>, Rust <link_to_checks_list>) + - + - + - + * - IMPL_03_01 + - Do the UID of the interface in component documentation match the implemented interface names of the unit? + - Compare interface UIDs (which contains the interface name) in component architecture/detailed design documentation + with public interfaces in source code (e.g. API headers, traits, public types/functions). + - + - + - + * - IMPL_03_02 + - Are detailed design and source code consistent and is the respective traceability established ? + - Check if available static and dynamic design diagrams and the textual descriptions match the code + (e.g. naming of interfaces, units, functions/operations/messages, data types). + Check if the folder/file names of the units and its source code matches the intended functionality. + For example if a unit is named "communication" it should not contain code for "data processing". + - + - + - diff --git a/score/health_monitor/docs/index.rst b/score/health_monitor/docs/index.rst index 3af4293af..6e3f22461 100644 --- a/score/health_monitor/docs/index.rst +++ b/score/health_monitor/docs/index.rst @@ -175,8 +175,10 @@ Footnotes :hidden: requirements/index.rst + requirements/chklst_req_inspection architecture/index.rst + architecture/chklst_arc_inspection detailed_design/index.rst + detailed_design/chklst_impl_inspection safety_analysis/fmea.rst safety_analysis/dfa.rst - component_classification.rst diff --git a/score/health_monitor/docs/requirements/chklst_req_inspection.rst b/score/health_monitor/docs/requirements/chklst_req_inspection.rst new file mode 100644 index 000000000..4036f902e --- /dev/null +++ b/score/health_monitor/docs/requirements/chklst_req_inspection.rst @@ -0,0 +1,176 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +.. document:: Health Monitor Requirements Inspection Checklist + :id: doc__health_monitor_req_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__requirements_inspect + + +Requirement Inspection Checklist +================================ + +Purpose +------- + +The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> +- test expert: <one of the reviewers explicitly named here, to cover REQ_08_01 as described> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Component Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,50,6,6,8 + + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - REQ_01_01 + - Is the requirement formulation template used? + - see :need:`gd_temp__req_formulation`, this includes the use of "shall". + - + - + - + * - REQ_02_01 + - Is the requirement description *comprehensible* ? + - If you think the requirement is hard to understand, comment here. + - + - + - + * - REQ_02_02 + - Is the requirement description *unambiguous* ? + - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling. + - + - + - + * - REQ_02_03 + - Is the requirement description *atomic* ? + - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The requirement formulation template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable. + - + - + - + * - REQ_02_04 + - Is the requirement description *feasible* ? + - If at the time of the inspection the requirement has already some implementation, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_impl` shows this. In case the requirement has no implementation at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item. + - + - + - + * - REQ_02_05 + - Is the requirement description *independent from implementation* ? + - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement. + - + - + - + * - REQ_03_01 + - Is the *linkage to the parent requirement* correct? + - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement. + - + - + - + * - REQ_04_01 + - Is the requirement *internally and externally consistent*? + - Does the requirement contradict other requirements within the same or higher levels? One may restrict the search to the feature for component requirements, for features to other features using same components. Is the description of the requirement consistent with all its attributes (if not already part of another check, e.g. does the title fit?). + - + - + - + * - REQ_05_01 + - Do the software requirements consider *timing constraints*? + - This checkpoint encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the code execution will be consuming a lot of time, one should think of the expectation of a "user". + - + - + - + * - REQ_06_01 + - Does the requirement consider *external interfaces*? + - The SW platform's external interfaces (to the user) are defined in the Feature Architecture, so the Feature and Component Requirements should determine the input data use and setting of output data for these interfaces. Are all output values defined? + - + - + - + * - REQ_07_01 + - Is the *safety* attribute set correctly? + - Derived requirements are checked automatically, see :need:`gd_req__req_linkage_safety`. But for the top level requirements (and also all AoU) this needs to be checked manually for correctness. + - + - + - + * - REQ_07_02 + - Is the attribute *security* set correctly? + - For component requirements this checklist item is supported by automated check: "Every requirement which satisfies a feature requirement with security attribute set to YES inherits this". But the component requirements/architecture may additionally also be subject to a :need:`wp__sw_component_security_analysis`. + - + - + - + * - REQ_08_01 + - Is the requirement *verifiable*? + - If at the time of the inspection already tests are created for the requirement, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_test_covered` shows this. In case the requirement is not sufficiently traced to test cases already, a test expert is invited to the inspection to give their opinion whether the requirement is formulated in a way that supports test development and the available test infrastructure is sufficient to perform the test. + - + - + - + * - REQ_08_02 + - Is the requirement verifiable by design or code review in case it is not feasibly testable? + - In very rare cases a requirement may not be verifiable by test cases, for example a specific non-functional requirement. In this case a requirement analysis verifies the requirement by design/code review. If such a requirement is in scope of this inspection, please check this here and link to the respective review record. A test expert is invited to the inspection to confirm their opinion that the requirement is not testable. + - + - + - + * - REQ_09_01 + - Do the requirements that define a safety mechanism specify the error reaction leading to a safe state? + - Alternatively to the safe state there could also be "repair" mechanisms. Also do not forget to consider REQ_05_01 for these. + - + - + - + + +.. attention:: + The above checklist entries must be filled according to your component requirements in scope. + +Note: If a Review ID is not applicable for your requirement, then state ""n/a" in status and comment accordingly in remarks. + +The following requirements in "valid" state and with "inspected" tag set are in the scope of this inspection: + +.. needtable:: + :filter: "health_monitor" in docname and "requirements" in docname and docname is not None and status == "valid" + :style: table + :types: comp_req + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +And also the following AoUs in "valid" state and with "inspected" tag set (for these please answer the questions above as if the AoUs are requirements, except question REQ_03_01): + +.. needtable:: + :filter: "health_monitor" in docname and "requirements" in docname and docname is not None and status == "valid" + :style: table + :types: aou_req + :tags: health_monitor + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title diff --git a/score/health_monitor/docs/requirements/index.rst b/score/health_monitor/docs/requirements/index.rst index ee9089e29..e9c8613ce 100644 --- a/score/health_monitor/docs/requirements/index.rst +++ b/score/health_monitor/docs/requirements/index.rst @@ -66,7 +66,7 @@ Requirements :belongs_to: comp__health_monitor :status: invalid - The Feature shall do xyz to the user to bring him to this condition at this time + The Component shall do xyz to the user to bring him to this condition at this time Note: (optional, not to be verified) @@ -77,7 +77,7 @@ Requirements :safety: ASIL_B :status: invalid - The Feature User shall do xyz to use the feature safely + The Component User shall do xyz to use the component safely .. attention:: The above directives must be updated according to your feature requirements. @@ -86,5 +86,5 @@ Requirements - Set the status to valid and start the review/merge process - Add other needed requirements for your feature -.. needextend:: docname is not None and "health_monitor" in id - :+tags: health_monitor +.. needextend:: is_external == False and "__health_monitor__" in id + :+tags: lifecycle, health_monitor diff --git a/score/health_monitor/docs/security_analysis/.gitkeep b/score/health_monitor/docs/security_analysis/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/score/launch_manager/docs/architecture/chklst_arc_inspection.rst b/score/launch_manager/docs/architecture/chklst_arc_inspection.rst new file mode 100644 index 000000000..8e850584d --- /dev/null +++ b/score/launch_manager/docs/architecture/chklst_arc_inspection.rst @@ -0,0 +1,202 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +.. document:: Launch Manager Architecture Inspection Checklist + :id: doc__launch_manager_arc_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__sw_arch_verification + + +Architecture Inspection Checklist +================================= + +Purpose +------- + +The purpose of the software architecture checklist is to ensure that the design meets the criteria and quality as +defined per project processes and guidelines for feature and component architectural design elements. +It helps to check the compliance with requirements, identify errors or inconsistencies, and ensure adherence to best +practices. +The checklist guides evaluation of the architecture design, identifies potential problems, and aids in +communication and documentation of architectural decisions to stakeholders. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Architecture Design Review Checklist + :header-rows: 1 + + * - Review Id + - Acceptance criteria + - Guidance + - passed + - Remarks + - Issue link + * - ARC_01_01 + - Is the traceability from software architectural elements to requirements, and other level architectural elements (e.g. component to interface) established according to the "Relations between the architectural elements" as described in :need:`doc_concept__arch_process`? + - Trace should be checked automatically by tool support in the future. Will be removed from the checklist once the requirement (:need:`Correlations of the architectural building blocks <gd_req__arch_build_blocks_corr>`) is implemented. Refer to `Tool Requirements <https://eclipse-score.github.io/docs-as-code/main/internals/requirements/requirements.html>`_ for the current status. + - + - + - + * - ARC_01_02 + - Does the software architecture design consider all the requirements allocated or belonging to the architectural element, including functional, non-functional, safety, and security requirements and all related design decisions? + - Check if all requirements allocated or belonging to the architectural element are considered in the design. This includes functional requirements (e.g. functional safety requirements), non-functional requirements (e.g. performance, reliability), and security requirements (e.g. confidentiality, integrity). Additionally, ensure that all related design decisions are taken into account and documented in the architectural design. + - + - + - + * - ARC_01_03 + - If the architectural element is related to any supplier manuals (incl. safety and security) + are the relevant parts covered? + - If the architecture makes use of supplied elements, their manuals (like safety) have to be considered (i.e. its provided functionality matches the expectation and assumptions are fulfilled). Note that in case of safety component this means that assumed Technical Safety Requirements and AoUs of the safety manual are covered. + - + - + - + * - ARC_01_04 + - Is the architectural element traceable to the lower level artifacts as defined by the workproduct traceability? + - Will be removed from checklist once the requirement (:need:`Correlations of the architectural building blocks <gd_req__arch_build_blocks_corr>`) is implemented by automated tool check. See `Tool Requirements <https://eclipse-score.github.io/docs-as-code/main/internals/requirements/requirements.html>`_. + Details of possible linking can be depicted from the traceability concept. + - + - + - + * - ARC_02_01 + - Is the software architecture design compliant with the (overall) feature architecture? + - On component level check against the feature architecture, on feature level check other features with common components used. + - + - + - + * - ARC_02_02 + - Is appropriate and comprehensible operation/interface naming present in the architectural design? + - Check :need:`gd_guidl__arch_design` + - + - + - + * - ARC_02_03 + - Are correctness of data flow and control flow within the architectural elements considered? + - E.g. examine definitions, transformations, integrity, and interaction of data; check error handling, data + exchange between elements, correct response to inputs and documented decision making. + Note: consistency is ensured by the process/tooling, by defining each interface only once. + - + - + - + * - ARC_02_04 + - Are the interfaces between the software architectural element and other architectural elements well-defined? + - Check if the interface reacts on non-defined behaviour or errors; can established protocols be used; are the + interfaces for inputs, outputs, error codes documented; is loose coupling considered and only limited exposure; + can unit or integration test be written against the interface; data amount transferred; no sensitive data + exposure; + - + - + - + * - ARC_02_05 + - Does the software architectural element consider the timing constraints (from the parent requirement)? + - If there are hard requirements on the timing a programming time estimation should be performed and also + deadline supervision considered. + - + - + - + * - ARC_02_06 + - Is the documentation of the software architectural element, including textual and graphical descriptions + (e.g., UML diagrams), comprehensible and complete? + - Use of semi-formal notation is expected for architectural elements with an allocated ASIL level. + Is the architecture template correctly filled? + - + - + - + * - ARC_03_01 + - Is the architectural element modular and encapsulated? + - Check e.g. that only minimal interfaces are used. Design should be object oriented. Interfaces and interactions are clearly defined. Usage of access types (private, protected) properly set. Limited global variables. + - + - + - + * - ARC_03_02 + - Is the suitability of the software architecture for future modifications and maintainability considered? + - Check for e.g. loose coupling, separation of concerns, high cohesion, versioning strategy for interfaces, + decision records, use of established design patterns. + - + - + - + * - ARC_03_03 + - Are simplicity and avoidance of unnecessary complexity present in the software architecture and the component? + - Indicators for complexity are: number of use cases (corresponding to dynamic diagrams) + allocated to single design element, number of interfaces and operations in an interface, + function parameters, global variables, complex types, limited comprehensibility. + The belonging code metrics should be checked. + + Notes: + + If the "number of use cases" or "number of interfaces" above exceeds "3" or "number of function parameters" exceeds "5" or the "number of operations" exceeds "20" or global variables are used, a design rationale is mandatory. + + See also if component classification :need:`gd_temp__component_classification` as measure is present. + + - + - + - + * - ARC_03_04 + - Is the software architecture design following best practices and design principles? + - Refer to architectural guidelines and recommendations within the project documentation. + - + - + - + * - ARC_04_03 + - If your software architectural design of the component includes processes and tasks, are their scheduling policies and priorities (at least the needed relation one to another) defined to ensure that timing requirements are met? Please note, that the particular priorities or priority ranges will be probably defined by the project handbook or the software development plan. + + Note: see :need:`std_req__iso26262__software_743` + - Give a reason for these scheduling policies and priorities or explain why not needed. + - + - + - + + +.. attention:: + The above checklist entries must be filled according to your component architecture in scope. + +Note: If a Review ID is not applicable for your architecture, then state ""n/a" in status and comment accordingly in remarks. + +The following static views in "valid" state and with "inspected" tag set are in the scope of this inspection: + +.. needtable:: + :filter: "launch_manager" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: comp_arc_sta + :tags: launch_manager + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +and the following dynamic views: + +.. needtable:: + :filter: "launch_manager" in docname and "architecture" in docname and docname is not None and status == "valid" + :style: table + :types: comp_arc_dyn + :tags: launch_manager + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title diff --git a/score/launch_manager/docs/architecture/component_architecture.rst b/score/launch_manager/docs/architecture/component_architecture.rst new file mode 100644 index 000000000..814234eb1 --- /dev/null +++ b/score/launch_manager/docs/architecture/component_architecture.rst @@ -0,0 +1,82 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Component Architecture Documentation +==================================== + +.. document:: Launch Manager Architecture + :id: doc__launch_manager_architecture + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__component_arch + :tags: template + + +Overview +-------- + +<Brief summary of the architecture.> + +Requirements Linked to Component Architecture +--------------------------------------------- + +.. code-block:: none + + .. needtable:: Overview of Component Requirements + :style: table + :columns: title;id + :filter: search("comp_arch_sta__archdes$", "fulfils_back") + :colwidths: 70,30 + +Description +----------- + +<General Description> + +<Design Decisions - For the documentation of the decision the :need:`gd_temp__change_decision_record` can be used.> + +<Design Constraints> + +Rationale Behind Architecture Decomposition +******************************************* + +Mandatory: A motivation for the decomposition or reason for not further splitting it into internal components. + +.. note:: Common decisions across components / cross cutting concepts is at the higher level. + +Static Architecture +------------------- + +The components are designed to cover the expectations from the feature architecture +(i.e. if already exists a definition it should be taken over and enriched). + +A component can optional also consist of lower level components to further structure the architecture. The component and its static views can also optionally use interfaces provided by other components. + +tbd + +Dynamic Architecture +-------------------- + +tbd + +Interfaces +---------- + +tbd + +Internal Components +------------------- + +tbd diff --git a/score/launch_manager/docs/architecture/index.rst b/score/launch_manager/docs/architecture/index.rst new file mode 100644 index 000000000..3ea0100b1 --- /dev/null +++ b/score/launch_manager/docs/architecture/index.rst @@ -0,0 +1,23 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _component_architecture_template: + +Component Architecture +====================== + +.. toctree:: + + component_architecture + chklst_arc_inspection diff --git a/score/launch_manager/docs/detailed_design/chklst_impl_inspection.rst b/score/launch_manager/docs/detailed_design/chklst_impl_inspection.rst new file mode 100644 index 000000000..8e94f08a5 --- /dev/null +++ b/score/launch_manager/docs/detailed_design/chklst_impl_inspection.rst @@ -0,0 +1,115 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. document:: Launch Manager Implementation Inspection Checklist + :id: doc__launch_manager_impl_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__sw_implementation_inspection + + +Implementation Inspection Checklist +=================================== + +Purpose +------- + +The purpose of this checklist is to collect the topics to be checked during implementation, +i.e. in the detailed design and the source code of the units. + +The checklist shall be agnostic to which programming language is used. Differences shall be treated +by linking to C++ or Rust specific documentation. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Implementation Checklist + :header-rows: 1 + :widths: 10,30,50,6,6,8 + + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - IMPL_01_01 + - Is the design according to guidelines? + - see :need:`gd_temp__detailed_design` and :need:`doc_concept__imp_concept` + (e.g. are the views done with the proposed UML diagrams) + - + - + - + * - IMPL_01_02 + - Is the implementation according to specification? + - Check if the linked component requirements are fulfilled + and detailed design also matches architecture description. + - + - + - + * - IMPL_01_03 + - Are the design decisions and constraints documented? + - Check also for plausibility of these. + - + - + - + * - IMPL_01_04 + - Are all external libraries used by the component specified in the detailed design? + - Check the automated dependency analysis. + Also make sure ASIL rated units also only use ASIL rated libraries. + - + - + - + * - IMPL_02_01 + - Are the static and dynamic code analysis reports verified for violations? + - All violations in ASIL related code must be justified. This includes the checks of coding guidelines. + - + - + - + * - IMPL_02_02 + - Do manual checks, that are derived from the coding guideline, find no safety critical error? + - Check this for the programming language used (e.g. C++ <link_to_checks_list>, Rust <link_to_checks_list>) + - + - + - + * - IMPL_03_01 + - Do the UID of the interface in component documentation match the implemented interface names of the unit? + - Compare interface UIDs (which contains the interface name) in component architecture/detailed design documentation + with public interfaces in source code (e.g. API headers, traits, public types/functions). + - + - + - + * - IMPL_03_02 + - Are detailed design and source code consistent and is the respective traceability established ? + - Check if available static and dynamic design diagrams and the textual descriptions match the code + (e.g. naming of interfaces, units, functions/operations/messages, data types). + Check if the folder/file names of the units and its source code matches the intended functionality. + For example if a unit is named "communication" it should not contain code for "data processing". + - + - + - diff --git a/score/launch_manager/docs/detailed_design/detailed_design.rst b/score/launch_manager/docs/detailed_design/detailed_design.rst new file mode 100644 index 000000000..cf3e97dd3 --- /dev/null +++ b/score/launch_manager/docs/detailed_design/detailed_design.rst @@ -0,0 +1,82 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Example: Detailed Design +======================== + +.. document:: Launch Manager Detailed Design + :id: doc__launch_manager_detailed_design + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__sw_implementation + + +Detailed Design for Component: Launch Manager +============================================= + +Description +----------- + +| Design Decisions - For the documentation of the decision the :need:`gd_temp__change_decision_record` can be used. +| Design Constraints + +Example: + + - component is split into two units unit1 and unit2 based on single responsibility principle. + - unit2 is injected to unit1 one via dependency injection for testability. + +Rationale Behind Decomposition into Units +****************************************** +| mandatory: a motivation for the decomposition into one or more units. + +.. note:: Reason for split into multiple units could be- + - Based on design principles like SOLID,DRY etc + - Based on design pattern's etc. + +Static Diagrams for Unit Interactions +------------------------------------- + +A static view provides an overview of the units and their relationships using +UML 2.0 notations (e.g. class diagrams, component diagrams). Use ``.. uml::`` +or ``.. image::`` directives to include the diagram. + + +Dynamic Diagrams for Unit Interactions (optional) +-------------------------------------------------- + +A dynamic view illustrates how the units within a component interact over their +interfaces to fulfill a specific use case or functionality. It is optional when the +component's behaviour is straightforward and can be understood from the static view +and interface documentation alone. + +Use standard UML behavioural diagrams (sequence diagrams, state machine diagrams) +with ``.. uml::`` or ``.. image::`` directives. + + +Units within the Component +-------------------------- + +The relationship between a unit and its parent component is established implicitly +through the file path. Each component has its own directory, and units residing +within that directory belong to it. The unit's attributes and behaviour are documented +in the source code itself. A separate static diagram per unit is not required. + +Interface documentation of a software unit is part of the source code (e.g. public +API headers, trait definitions, or documented function signatures). + +Example: + +- unit1: implements the main logic (see source code for details) +- unit2: injected into unit1 via dependency injection for testability diff --git a/score/launch_manager/docs/detailed_design/index.rst b/score/launch_manager/docs/detailed_design/index.rst new file mode 100644 index 000000000..c70f2ae37 --- /dev/null +++ b/score/launch_manager/docs/detailed_design/index.rst @@ -0,0 +1,42 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +.. _launch_manager_detailed_design: + +Detailed Design +############### + +.. attention:: + + The detailed design document is optional and should be created if the design of the component is complex and cannot be easily understood from the architecture documentation and interface documentation alone. + But the inspection checklist for the implementation is mandatory. + + +Detail design example +--------------------- + +An example of documenting detailed design can be found in: + + .. toctree:: + + detailed_design + +Inspection Checklist +-------------------- + +The checklist for verification of the detailed design and code can be found here: + +.. toctree:: + + chklst_impl_inspection diff --git a/score/launch_manager/docs/index.rst b/score/launch_manager/docs/index.rst index 5995ea5ee..66c101951 100644 --- a/score/launch_manager/docs/index.rst +++ b/score/launch_manager/docs/index.rst @@ -21,6 +21,19 @@ Launch Manager user_guide/index.rst product_documentation/known_limitations.rst +.. toctree:: + :hidden: + + requirements/index.rst + requirements/chklst_req_inspection + architecture/index.rst + architecture/chklst_arc_inspection + detailed_design/index.rst + detailed_design/chklst_impl_inspection + safety_analysis/fmea.rst + safety_analysis/dfa.rst + safety_analysis/aou_requirements.rst + Subcomponents ============= .. toctree:: diff --git a/score/launch_manager/docs/requirements/chklst_req_inspection.rst b/score/launch_manager/docs/requirements/chklst_req_inspection.rst new file mode 100644 index 000000000..ed131b055 --- /dev/null +++ b/score/launch_manager/docs/requirements/chklst_req_inspection.rst @@ -0,0 +1,181 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +.. document:: Launch Manager Requirements Inspection Checklist + :id: doc__launch_manager_req_inspection + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__requirements_inspect + + +Requirement Inspection Checklist +================================ + +Purpose +------- + +The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection. + +Conduct +------- + +As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled: + +- content responsible (author): <contributor/committer explicitly named here, who is the main author, as can be seen in config mgt tooling> +- reviewer: <contributor/committer explicitly named here, who is the main content reviewer, must be different from content responsible> +- moderator: <committer explicitly named here, who is is the safety manager, security manager or quality manager initiating the inspection> +- test expert: <one of the reviewers explicitly named here, to cover REQ_08_01 as described> + +Checklist +--------- + +It is mandatory to fill in the "passed" column with "yes" or "no" for each checklist item and additionally to add in the remarks why it is passed or not passed. +In case of "no" an issue link to the issue tracking system has to be added in the last column (if not solved in the same issue). +See also :need:`doc_concept__wp_inspections` for further information about reviews in general and inspection in particular. + +.. list-table:: Component Requirement Inspection Checklist + :header-rows: 1 + :widths: 10,30,50,6,6,8 + + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - REQ_01_01 + - Is the requirement formulation template used? + - see :need:`gd_temp__req_formulation`, this includes the use of "shall". + - + - + - + * - REQ_02_01 + - Is the requirement description *comprehensible* ? + - If you think the requirement is hard to understand, comment here. + - + - + - + * - REQ_02_02 + - Is the requirement description *unambiguous* ? + - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling. + - + - + - + * - REQ_02_03 + - Is the requirement description *atomic* ? + - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The requirement formulation template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable. + - + - + - + * - REQ_02_04 + - Is the requirement description *feasible* ? + - If at the time of the inspection the requirement has already some implementation, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_impl` shows this. In case the requirement has no implementation at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item. + - + - + - + * - REQ_02_05 + - Is the requirement description *independent from implementation* ? + - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement. + - + - + - + * - REQ_03_01 + - Is the *linkage to the parent requirement* correct? + - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement. + - + - + - + * - REQ_04_01 + - Is the requirement *internally and externally consistent*? + - Does the requirement contradict other requirements within the same or higher levels? One may restrict the search to the feature for component requirements, for features to other features using same components. Is the description of the requirement consistent with all its attributes (if not already part of another check, e.g. does the title fit?). + - + - + - + * - REQ_05_01 + - Do the software requirements consider *timing constraints*? + - This checkpoint encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the code execution will be consuming a lot of time, one should think of the expectation of a "user". + - + - + - + * - REQ_06_01 + - Does the requirement consider *external interfaces*? + - The SW platform's external interfaces (to the user) are defined in the Feature Architecture, so the Feature and Component Requirements should determine the input data use and setting of output data for these interfaces. Are all output values defined? + - + - + - + * - REQ_07_01 + - Is the *safety* attribute set correctly? + - Derived requirements are checked automatically, see :need:`gd_req__req_linkage_safety`. But for the top level requirements (and also all AoU) this needs to be checked manually for correctness. + - + - + - + * - REQ_07_02 + - Is the attribute *security* set correctly? + - For component requirements this checklist item is supported by automated check: "Every requirement which satisfies a feature requirement with security attribute set to YES inherits this". But the component requirements/architecture may additionally also be subject to a :need:`wp__sw_component_security_analysis`. + - + - + - + * - REQ_08_01 + - Is the requirement *verifiable*? + - If at the time of the inspection already tests are created for the requirement, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_test_covered` shows this. In case the requirement is not sufficiently traced to test cases already, a test expert is invited to the inspection to give their opinion whether the requirement is formulated in a way that supports test development and the available test infrastructure is sufficient to perform the test. + - + - + - + * - REQ_08_02 + - Is the requirement verifiable by design or code review in case it is not feasibly testable? + - In very rare cases a requirement may not be verifiable by test cases, for example a specific non-functional requirement. In this case a requirement analysis verifies the requirement by design/code review. If such a requirement is in scope of this inspection, please check this here and link to the respective review record. A test expert is invited to the inspection to confirm their opinion that the requirement is not testable. + - + - + - + * - REQ_09_01 + - Do the requirements that define a safety mechanism specify the error reaction leading to a safe state? + - Alternatively to the safe state there could also be "repair" mechanisms. Also do not forget to consider REQ_05_01 for these. + - + - + - + + +.. attention:: + The above checklist entries must be filled according to your component requirements in scope. + +Note: If a Review ID is not applicable for your requirement, then state ""n/a" in status and comment accordingly in remarks. + +The following requirements in "valid" state and with "inspected" tag set are in the scope of this inspection: + +.. needtable:: + :filter: "component_name" in docname and "requirements" in docname and docname is not None and status == "valid" + :style: table + :types: comp_req + :tags: component_name + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +And also the following AoUs in "valid" state and with "inspected" tag set (for these please answer the questions above as if the AoUs are requirements, except question REQ_03_01): + +.. needtable:: + :filter: "component_name" in docname and "requirements" in docname and docname is not None and status == "valid" + :style: table + :types: aou_req + :tags: component_name + :columns: id;status;tags + :colwidths: 25,25,25 + :sort: title + +.. attention:: + The above tables filtering must be updated according to your Component. + + - Modify ``component_name`` to be your Component Name in lower snake case diff --git a/score/launch_manager/docs/requirements/index.rst b/score/launch_manager/docs/requirements/index.rst new file mode 100644 index 000000000..9eea1fc74 --- /dev/null +++ b/score/launch_manager/docs/requirements/index.rst @@ -0,0 +1,21 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Requirements +############ + +.. toctree:: + + requirements + chklst_req_inspection diff --git a/score/launch_manager/docs/requirements/requirements.rst b/score/launch_manager/docs/requirements/requirements.rst new file mode 100644 index 000000000..8134892db --- /dev/null +++ b/score/launch_manager/docs/requirements/requirements.rst @@ -0,0 +1,57 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Component Launch Manager Requirements +##################################### + +.. document:: Launch Manager Requirements + :id: doc__launch_manager_requirements + :status: draft + :safety: ASIL_B + :security: YES + :realizes: wp__requirements_comp + + +<Headlines (for the list of requirements if structuring is needed)> +=================================================================== + +Functional Requirements +----------------------- + +tbd + +Assumption of Use Requirements +------------------------------ + +tbd + +Environmental Requirements +-------------------------- + +tbd + +Hints +----- + +.. attention:: + The above directives must be updated according to your component requirements. + + - Replace the example content by the real content for your first requirement (according to :need:`gd_guidl__req_engineering`) + - Set ``safety`` and ``security`` to the right value (ASIL B/QM; YES/NO) + - Set ``reqtype`` with a link to the right value (<Functional|Interface|Process|Non-Functional>) + - Add other needed requirements for your feature + - Set ``status`` to ``valid`` and start the review/merge process + +.. needextend:: is_external == False and "__launch_manager__" in id + :+tags: lifecycle, launch_manager diff --git a/score/launch_manager/docs/safety_analysis/aou_requirements.rst b/score/launch_manager/docs/safety_analysis/aou_requirements.rst new file mode 100644 index 000000000..b172ecc92 --- /dev/null +++ b/score/launch_manager/docs/safety_analysis/aou_requirements.rst @@ -0,0 +1,51 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +AoU Component Requirements Template +=================================== + +.. document:: Launch Manager Component AoU + :id: doc__launch_manager_comp_aou + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__requirements_comp_aou + + +This page contains Assumption of Use requirement snippets that belong to the +template repository. + +Component AoU +------------- + +.. code-block:: rst + + .. aou_req:: Next Title + :id: aou_req__mod_temp_component_name__next_title + :reqtype: Process + :security: YES + :safety: ASIL_B + :status: invalid + + The Component User shall do xyz to use the component safely/securely + + .. aou_req:: Another Title + :id: aou_req__mod_temp_component_name__another + :reqtype: Process + :security: YES + :safety: ASIL_B + :status: invalid + :tags: environment + + The Component shall only be used in a xyz environment to ensure its proper functioning. diff --git a/score/launch_manager/docs/safety_analysis/dfa.rst b/score/launch_manager/docs/safety_analysis/dfa.rst new file mode 100644 index 000000000..9e2bf4dc4 --- /dev/null +++ b/score/launch_manager/docs/safety_analysis/dfa.rst @@ -0,0 +1,49 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +DFA (Dependent Failure Analysis) +================================ + +.. document:: Launch Manager DFA + :id: doc__launch_manager_dfa + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__sw_component_dfa + +.. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. + +Dependent Failure Initiators +---------------------------- + +.. code-block:: rst + + .. comp_saf_dfa:: <Title> + :violates: <Component architecture> + :id: comp_saf_dfa__<Component>__<Element descriptor> + :failure_id: <ID from DFA failure initiators :need:`gd_guidl__dfa_failure_initiators`> + :failure_effect: "description of failure effect of the failure initiator on the element" + :mitigated_by: <ID from Component Requirement | ID from AoU Component Requirement> + :mitigation_issue: <ID from Issue Tracker> + :sufficient: <yes|no> + :status: <valid|invalid> + +.. note:: Argument is inside the 'content'. Therefore content is mandatory. + +.. attention:: + The above directive must be updated according to your component DFA. + + - The above "code-block" directive must be updated + - Fill in all the needed information in the <brackets> diff --git a/score/launch_manager/docs/safety_analysis/fmea.rst b/score/launch_manager/docs/safety_analysis/fmea.rst new file mode 100644 index 000000000..2267d9ea0 --- /dev/null +++ b/score/launch_manager/docs/safety_analysis/fmea.rst @@ -0,0 +1,123 @@ +.. + # ******************************************************************************* + # Copyright (c) 2026 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + + +FMEA (Failure Modes and Effects Analysis) +========================================= + +.. document:: Launch Manager FMEA + :id: doc__launch_manager_fmea + :status: draft + :safety: ASIL_B + :security: NO + :realizes: wp__sw_component_fmea + +.. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. + + +Failure Mode List +----------------- + +.. list-table:: Fault Models for sequence diagrams + :header-rows: 1 + :widths: 10,20,10,20 + + * - ID + - Failure Mode + - Applicability + - Rationale + * - MF_01_01 + - message is not received (is a subset/more precise description of MF_01_05) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_02 + - message received too late (only relevant if delay is a realistic fault) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_03 + - message received too early (usually not a problem) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_04 + - message not received correctly by all recipients (different messages or messages partly lost). Only relevant if the same message goes to multiple recipients. + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_05 + - message is corrupted + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_06 + - message is not sent + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - MF_01_07 + - message is unintended sent + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - CO_01_01 + - minimum constraint boundary is violated + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - CO_01_02 + - maximum constraint boundary is violated + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_01 + - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature. + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_02 + - processing too slow (only relevant if timing is considered) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_03 + - processing too fast (only relevant if timing is considered) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_04 + - loss of execution + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_05 + - processing changes to arbitrary process + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + * - EX_01_06 + - processing is not complete (infinite loop) + - <yes | no> + - <Rationale if not applicable, otherwise link to filled out FMEA> + +FMEA +---- +For all identified applicable failure initiators, the FMEA is performed in the following section. + +.. code-block:: rst + + .. comp_saf_fmea:: <Title> + :violates: <Component architecture> + :id: comp_saf_fmea__<Component>__<Element descriptor> + :fault_id: <ID from fault model :need:`gd_guidl__fault_models`> + :failure_effect: "description of failure effect of the fault model on the element" + :mitigated_by: <ID from Component Requirement | ID from AoU Component Requirement> + :mitigation_issue: <ID from Issue Tracker> + :sufficient: <yes|no> + :status: <valid|invalid> + + .. note:: argument is inside the 'content'. Therefore content is mandatory + +.. attention:: + The above directive must be updated according to your component FMEA. + + - The above "code-block" directive must be updated + - Fill in all the needed information in the <brackets> diff --git a/score/launch_manager/docs/security_analysis/.gitkeep b/score/launch_manager/docs/security_analysis/.gitkeep new file mode 100644 index 000000000..e69de29bb