From 78aedbb4e91f505f59628b60468e18e8ff1c0e38 Mon Sep 17 00:00:00 2001 From: pandaedo Date: Thu, 25 Sep 2025 15:50:33 +0200 Subject: [PATCH 1/2] closes #1805 --- MODULE.bazel | 2 +- .../persistency/kvs/architecture/index.rst | 4 +- docs/features/persistency/kvs/index.rst | 4 +- .../requirements/chklst_req_inspection.rst | 200 +++++++++--------- .../persistency/kvs/requirements/index.rst | 4 +- .../persistency/kvs/safety_analysis/dfa.rst | 90 ++++---- .../persistency/kvs/safety_analysis/fmea.rst | 34 +-- .../persistency/kvs/safety_planning/index.rst | 9 + .../persistency/docs/manual/safety_manual.rst | 6 +- .../persistency/docs/release/release_note.rst | 3 +- .../safety_mgt/module_safety_package_fdr.rst | 1 + .../docs/safety_mgt/module_safety_plan.rst | 1 + .../safety_mgt/module_safety_plan_fdr.rst | 1 + .../module_verification_report.rst | 3 +- docs/modules/persistency/index.rst | 4 +- .../json/docs/component_classification.rst | 1 + docs/modules/persistency/json/docs/index.rst | 3 +- .../kvs/docs/architecture/index.rst | 5 +- docs/modules/persistency/kvs/docs/index.rst | 3 +- .../kvs/docs/requirements/index.rst | 3 +- .../kvs/docs/safety_analysis/dfa.rst | 3 +- .../kvs/docs/safety_analysis/fmea.rst | 5 +- 22 files changed, 212 insertions(+), 177 deletions(-) diff --git a/MODULE.bazel b/MODULE.bazel index 8a8863f0bb..3c1b9e637e 100644 --- a/MODULE.bazel +++ b/MODULE.bazel @@ -36,7 +36,7 @@ use_repo(python) # Additional Python rules provided by aspect, e.g. an improved version of # `py_binary`. But more importantly, it provides `py_venv`. -bazel_dep(name = "aspect_rules_py", version = "1.4.0") +bazel_dep(name = "aspect_rules_py", version = "1.6.3") ############################################################################### # diff --git a/docs/features/persistency/kvs/architecture/index.rst b/docs/features/persistency/kvs/architecture/index.rst index ef1b9703fd..c8ec9f4a34 100644 --- a/docs/features/persistency/kvs/architecture/index.rst +++ b/docs/features/persistency/kvs/architecture/index.rst @@ -18,10 +18,12 @@ Architecture ============ .. document:: Persistency KVS Feature Architecture - :id: doc__persistency_kvs_feat_arch + :id: doc__persistency_architecture :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__feature_arch + :tags: persistency Overview -------- diff --git a/docs/features/persistency/kvs/index.rst b/docs/features/persistency/kvs/index.rst index c4b5fe3baf..c885a2676e 100644 --- a/docs/features/persistency/kvs/index.rst +++ b/docs/features/persistency/kvs/index.rst @@ -19,7 +19,9 @@ Key-Value-Storage :id: doc__persistency_kvs :status: valid :safety: ASIL_B - :tags: feature_request, persistency_kvs + :security: NO + :realizes: PROCESS_wp__feat_request + :tags: feature_request, persistency .. toctree:: requirements/index.rst diff --git a/docs/features/persistency/kvs/requirements/chklst_req_inspection.rst b/docs/features/persistency/kvs/requirements/chklst_req_inspection.rst index 617194178d..f91f508d2c 100644 --- a/docs/features/persistency/kvs/requirements/chklst_req_inspection.rst +++ b/docs/features/persistency/kvs/requirements/chklst_req_inspection.rst @@ -18,106 +18,108 @@ Requirement Inspection Checklist Persistency KVS ================================================ .. document:: Requirements Inspection Checklist Persistency KVS - :id: doc__req_inspection_persistency - :status: valid - :tags: persistency + :id: doc__req_inspection_persistency + :status: valid + :safety: ASIL_B + :security: NO + :tags: persistency - **Purpose** - The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection. +**Purpose** +The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection. - **Checklist** +**Checklist** - .. list-table:: Requirement Inspection Checklist Persistency KVS - :header-rows: 1 - :widths: 10,30,50,6,6,8 +.. list-table:: Requirement Inspection Checklist Persistency KVS + :header-rows: 1 + :widths: 10,30,50,6,6,8 - * - Review ID - - Acceptance Criteria - - Guidance - - Passed - - Remarks - - Issue link - * - REQ_01_01 - - Is the requirement sentence template used? - - see :need:`PROCESS_gd_temp__req_formulation`, this includes the use of "shall". - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_02_01 - - Is the requirement description *comprehensible* ? - - If you think the requirement is hard to understand, comment here. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_02_02 - - Is the requirement description *unambiguous* ? - - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_02_03 - - Is the requirement description *atomic* ? - - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The sentence template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_02_04 - - Is the requirement description *feasible* ? - - Expectation is that at the time of the inspection the requirement has already some implementation. This can be checked via traces, but also :need:`PROCESS_gd_req__req_attr_impl` shows this. In case the requirement is not mature enough at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_02_05 - - Is the requirement description *independent from implementation* ? - - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_03_01 - - For stakeholder requirements: Is the *rationale* correct? - - Rationales explain why the top level requirements were invented. Do those cover the requirement? - - N/A - - No stakeholder requirements for Persistency KVS needed. - - https://github.com/eclipse-score/score/issues/960 - * - REQ_03_02 - - For other requirements: Is the *linkage to the parent requirement* correct? - - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_04_01 - - Is the requirement *internally and externally consistent*? - - Does the requirement contradict other requirements within the same or higher levels? One may restrict the search to the feature for component requirements, for features to other features using same components. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_05_01 - - Do the software requirements consider *timing constraints of the parent requirement*? - - This bullet point encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the implementation will be time consuming, one should think of the expectation of a "user". - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_06_01 - - Does the Requirement consider *external interfaces*? - - The SW platform's external interfaces (to the user) are defined in the Feature Architecture, so the Feature and Component Requirements should determine the data consumed and set on these interfaces. Are output values completely defined? - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_07_01 - - Is the *ASIL Attribute* set correctly? - - Derived requirements are checked automatically, see :need:`PROCESS_gd_req__req_linkage_safety`. But for the top level requirements this needs to be checked for correctness. Also AoU from external components need check for correct ASIL as those are the "origin" of safety requirements towards the SW platform. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_07_02 - - Is the attribute *security* set correctly? - - Stakeholder requirements security attribute should be set based on Threat Analysis and Risk Assessment (TARA) (process is TBD). Checklist item is supported by automated check: "Every requirement which satisfies a requirement with security attribute set to YES inherits this". Expectation is that the feature/component requirements/architecture may also be subject to a Software Security Criticality Analysis (process is TBD). - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 - * - REQ_08_01 - - Is the requirement *verifiable*? - - Expectation is that at the time of the inspection already tests are created for the requirement. This can be checked via traces, but also :need:`PROCESS_gd_req__req_attr_test_covered` shows this. In case the requirement is not mature enough at the time of inspection (i.e. missing test cases), a test expert should be invited to the Pull-Request review to explicitly check this item. - - Yes - - No remarks - - https://github.com/eclipse-score/score/issues/960 + * - Review ID + - Acceptance Criteria + - Guidance + - Passed + - Remarks + - Issue link + * - REQ_01_01 + - Is the requirement sentence template used? + - see :need:`PROCESS_gd_temp__req_formulation`, this includes the use of "shall". + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_02_01 + - Is the requirement description *comprehensible* ? + - If you think the requirement is hard to understand, comment here. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_02_02 + - Is the requirement description *unambiguous* ? + - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_02_03 + - Is the requirement description *atomic* ? + - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The sentence template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_02_04 + - Is the requirement description *feasible* ? + - Expectation is that at the time of the inspection the requirement has already some implementation. This can be checked via traces, but also :need:`PROCESS_gd_req__req_attr_impl` shows this. In case the requirement is not mature enough at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_02_05 + - Is the requirement description *independent from implementation* ? + - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_03_01 + - For stakeholder requirements: Is the *rationale* correct? + - Rationales explain why the top level requirements were invented. Do those cover the requirement? + - N/A + - No stakeholder requirements for Persistency KVS needed. + - https://github.com/eclipse-score/score/issues/960 + * - REQ_03_02 + - For other requirements: Is the *linkage to the parent requirement* correct? + - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_04_01 + - Is the requirement *internally and externally consistent*? + - Does the requirement contradict other requirements within the same or higher levels? One may restrict the search to the feature for component requirements, for features to other features using same components. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_05_01 + - Do the software requirements consider *timing constraints of the parent requirement*? + - This bullet point encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the implementation will be time consuming, one should think of the expectation of a "user". + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_06_01 + - Does the Requirement consider *external interfaces*? + - The SW platform's external interfaces (to the user) are defined in the Feature Architecture, so the Feature and Component Requirements should determine the data consumed and set on these interfaces. Are output values completely defined? + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_07_01 + - Is the *ASIL Attribute* set correctly? + - Derived requirements are checked automatically, see :need:`PROCESS_gd_req__req_linkage_safety`. But for the top level requirements this needs to be checked for correctness. Also AoU from external components need check for correct ASIL as those are the "origin" of safety requirements towards the SW platform. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_07_02 + - Is the attribute *security* set correctly? + - Stakeholder requirements security attribute should be set based on Threat Analysis and Risk Assessment (TARA) (process is TBD). Checklist item is supported by automated check: "Every requirement which satisfies a requirement with security attribute set to YES inherits this". Expectation is that the feature/component requirements/architecture may also be subject to a Software Security Criticality Analysis (process is TBD). + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 + * - REQ_08_01 + - Is the requirement *verifiable*? + - Expectation is that at the time of the inspection already tests are created for the requirement. This can be checked via traces, but also :need:`PROCESS_gd_req__req_attr_test_covered` shows this. In case the requirement is not mature enough at the time of inspection (i.e. missing test cases), a test expert should be invited to the Pull-Request review to explicitly check this item. + - Yes + - No remarks + - https://github.com/eclipse-score/score/issues/960 diff --git a/docs/features/persistency/kvs/requirements/index.rst b/docs/features/persistency/kvs/requirements/index.rst index 23bba0ebe8..d09b7a3ca3 100644 --- a/docs/features/persistency/kvs/requirements/index.rst +++ b/docs/features/persistency/kvs/requirements/index.rst @@ -19,10 +19,12 @@ Requirements ############ .. document:: Persistency KVS Feature Requirements - :id: doc__persistency_kvs_feat_reqs + :id: doc__persistency_requirements :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__requirements_feat + :tags: persistency .. feat_req:: C++ & Rust Interoperability :id: feat_req__persistency__cpp_rust_interop diff --git a/docs/features/persistency/kvs/safety_analysis/dfa.rst b/docs/features/persistency/kvs/safety_analysis/dfa.rst index f8d9fef4be..d655236b9e 100644 --- a/docs/features/persistency/kvs/safety_analysis/dfa.rst +++ b/docs/features/persistency/kvs/safety_analysis/dfa.rst @@ -17,58 +17,60 @@ Persistency DFA .. document:: DFA :id: doc__persistency_dfa - :status: draft + :status: valid :safety: ASIL_B - :tags: feature_persistency + :security: NO + :realizes: PROCESS_wp__feature_dfa + :tags: persistency - For the DFA analysis where the failure initiators :need:`PROCESS_gd_guidl__dfa_failure_initiators` are used. The analysis is done before the platform DFA is done. - Safety mechanisms that are used by many features are not considered here, but at the platform DFA. The analysis is only done for the needs of the persistency feature. - The components KVS and JSON will also be considered at the platform DFA. No additional violations within the persistency feature are expected. +For the DFA analysis where the failure initiators :need:`PROCESS_gd_guidl__dfa_failure_initiators` are used. The analysis is done before the platform DFA is done. +Safety mechanisms that are used by many features are not considered here, but at the platform DFA. The analysis is only done for the needs of the persistency feature. +The components KVS and JSON will also be considered at the platform DFA. No additional violations within the persistency feature are expected. - The following failure initiators doesn't apply to the persistency feature: +The following failure initiators doesn't apply to the persistency feature: - Shared resources - - SR_01_01: Reused software module: No reused software modules are used. - - SR_01_02: Library: The file system fs is a library. It will be considered at the platform DFA. Same argument is used for the JSON library. - - SR_01_04: Basic software: No basic software is used. - - SR_01_05: Operating system including scheduler: Might be considered at the platform DFA or is out of scope. - - SR_01_06: Any service stack, e.g. communication stack: No service stack is used. - - SR_01_09: Execution time: There is no timing impact at persistency, so no mitigation is needed. - - SR_01_10: Allocated memory: Will be considered at the platform DFA. JSON can effect it, but it should not be allowed. +Shared resources + - SR_01_01: Reused software module: No reused software modules are used. + - SR_01_02: Library: The file system fs is a library. It will be considered at the platform DFA. Same argument is used for the JSON library. + - SR_01_04: Basic software: No basic software is used. + - SR_01_05: Operating system including scheduler: Might be considered at the platform DFA or is out of scope. + - SR_01_06: Any service stack, e.g. communication stack: No service stack is used. + - SR_01_09: Execution time: There is no timing impact at persistency, so no mitigation is needed. + - SR_01_10: Allocated memory: Will be considered at the platform DFA. JSON can effect it, but it should not be allowed. - Communication between the two elements - - CO_01_01: Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow): Failure initiator not applicable at persistency, so no mitigation is needed. - - CO_01_02: Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information: Persistency is developed fully deterministic. So no corruption, repetition, loss, delay, masquerading or incorrect addressing of information is expected. - - CO_01_03: Insertion / sequence of information: Subset of CO_01_02. - - CO_01_04: Corruption of information, inconsistent data: Subset of CO_01_02. - - CO_01_05: Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same informations: Failure initiator not applicable at persistency, so no mitigation is needed. - - CO_01_06: Information from a sender received by only a subset of the receivers: Failure initiator not applicable at persistency, so no mitigation is needed. - - CO_01_07: Blocking access to a communication channel: Failure initiator not applicable at persistency, so no mitigation is needed. +Communication between the two elements + - CO_01_01: Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow): Failure initiator not applicable at persistency, so no mitigation is needed. + - CO_01_02: Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information: Persistency is developed fully deterministic. So no corruption, repetition, loss, delay, masquerading or incorrect addressing of information is expected. + - CO_01_03: Insertion / sequence of information: Subset of CO_01_02. + - CO_01_04: Corruption of information, inconsistent data: Subset of CO_01_02. + - CO_01_05: Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same informations: Failure initiator not applicable at persistency, so no mitigation is needed. + - CO_01_06: Information from a sender received by only a subset of the receivers: Failure initiator not applicable at persistency, so no mitigation is needed. + - CO_01_07: Blocking access to a communication channel: Failure initiator not applicable at persistency, so no mitigation is needed. - Shared information inputs - - SI_01_02: Configuration data: Failure initiator not applicable at persistency, so no mitigation is needed. - - SI_01_03: Constants, or variables, being global to the two software functions: Failure initiator not applicable at persistency, so no mitigation is needed. - - SI_01_04: Basic software passes data (read from hardware register and converted into logical information) to two applications software functions: Failure initiator not applicable at persistency, so no mitigation is needed. - - SI_01_05: Data / function parameter arguments / messages delivered by software function to more than one other function: Failure initiator not applicable at persistency, so no mitigation is needed. +Shared information inputs + - SI_01_02: Configuration data: Failure initiator not applicable at persistency, so no mitigation is needed. + - SI_01_03: Constants, or variables, being global to the two software functions: Failure initiator not applicable at persistency, so no mitigation is needed. + - SI_01_04: Basic software passes data (read from hardware register and converted into logical information) to two applications software functions: Failure initiator not applicable at persistency, so no mitigation is needed. + - SI_01_05: Data / function parameter arguments / messages delivered by software function to more than one other function: Failure initiator not applicable at persistency, so no mitigation is needed. - Unintended impact - - UI_01_01: Memory miss-allocation and leaks: Will be considered at the platform DFA. - - UI_01_02: Read/Write access to memory allocated to another software element: Will be considered at the platform DFA. - - UI_01_03: Stack/Buffer under-/overflow: Might happens but very unlikely in RUST. Will be considered at the platform DFA. - - UI_01_04: Deadlocks: Deadlocks are not caused by the KVS, but by the application. - - UI_01_05: Livelocks: Same consideration as done in UI_01_04. - - UI_01_07: Incorrect allocation of execution time: Failure initiator not applicable at persistency, so no mitigation is needed. - - UI_01_08: Incorrect execution flow: Failure initiator not applicable at persistency, so no mitigation is needed. - - UI_01_09: Incorrect synchronization between software elements: Failure initiator not applicable at persistency, so no mitigation is needed. - - UI_01_10: CPU time depletion: Failure initiator not applicable at persistency, so no mitigation is needed. Will be anylysed at the platform DFA. - - UI_01_11: Memory depletion: Failure initiator not applicable at persistency, so no mitigation is needed. Will be anylysed at the platform DFA. - - UI_01_12: Other HW unavailability: Failure initiator not applicable at persistency, so no mitigation is needed. +Unintended impact + - UI_01_01: Memory miss-allocation and leaks: Will be considered at the platform DFA. + - UI_01_02: Read/Write access to memory allocated to another software element: Will be considered at the platform DFA. + - UI_01_03: Stack/Buffer under-/overflow: Might happens but very unlikely in RUST. Will be considered at the platform DFA. + - UI_01_04: Deadlocks: Deadlocks are not caused by the KVS, but by the application. + - UI_01_05: Livelocks: Same consideration as done in UI_01_04. + - UI_01_07: Incorrect allocation of execution time: Failure initiator not applicable at persistency, so no mitigation is needed. + - UI_01_08: Incorrect execution flow: Failure initiator not applicable at persistency, so no mitigation is needed. + - UI_01_09: Incorrect synchronization between software elements: Failure initiator not applicable at persistency, so no mitigation is needed. + - UI_01_10: CPU time depletion: Failure initiator not applicable at persistency, so no mitigation is needed. Will be anylysed at the platform DFA. + - UI_01_11: Memory depletion: Failure initiator not applicable at persistency, so no mitigation is needed. Will be anylysed at the platform DFA. + - UI_01_12: Other HW unavailability: Failure initiator not applicable at persistency, so no mitigation is needed. - Development failure initiators - - SC_01_02: Same development approaches (e.g. IDE, programming and/or modelling language): Will be considered at feature platform DFA. - - SC_01_03: Same personal: Will be considered at feature platform DFA. - - SC_01_04: Same social-cultural context (even if different personnel): Will be considered at feature platform DFA. - - SC_01_05: Development fault (e.g. human error, insufficient qualification, insufficient methods): Will be considered at feature platform DFA. +Development failure initiators + - SC_01_02: Same development approaches (e.g. IDE, programming and/or modelling language): Will be considered at feature platform DFA. + - SC_01_03: Same personal: Will be considered at feature platform DFA. + - SC_01_04: Same social-cultural context (even if different personnel): Will be considered at feature platform DFA. + - SC_01_05: Development fault (e.g. human error, insufficient qualification, insufficient methods): Will be considered at feature platform DFA. .. feat_saf_dfa:: Persistency execution blocking diff --git a/docs/features/persistency/kvs/safety_analysis/fmea.rst b/docs/features/persistency/kvs/safety_analysis/fmea.rst index 66f62ef87e..dc9c7be603 100644 --- a/docs/features/persistency/kvs/safety_analysis/fmea.rst +++ b/docs/features/persistency/kvs/safety_analysis/fmea.rst @@ -17,25 +17,27 @@ Persistency FMEA .. document:: FMEA :id: doc__persistency_fmea - :status: draft + :status: valid :safety: ASIL_B - :tags: feature_persistency + :security: NO + :realizes: PROCESS_wp__feature_fmea + :tags: persistency - For the FMEA analysis where the fault models :need:`PROCESS_gd_guidl__fault_models` are used. - The following fault models doesn't apply to the persistency feature: +For the FMEA analysis where the fault models :need:`PROCESS_gd_guidl__fault_models` are used. +The following fault models doesn't apply to the persistency feature: - Fault models - - MF_01_03: Message received too early: Failure initiator not applicable at persistency, so no mitigation is needed. - - MF_01_04: message not received correctly by all recipients (different messages or messages partly lost): Failure initiator not applicable at persistency, so no mitigation is needed. - - MF_01_07: Message is unintended sent: Failure initiator not applicable at persistency. Feature developed fully deterministic, so no unintended messages are expected. - - CO_01_01: Minimum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed. - - CO_01_02: Maximum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed. - - EX_01_01: Process calculates wrong result(s): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no wrong results are expected caused by persistency - - EX_01_02: Processing too slow: Failure initiator not applicable at persistency. The feature is developed fully deterministic, so no processing too slow is expected caused by persistency. - - EX_01_03: Processing too fast: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no processing too fast is expected caused by persistency. - - EX_01_04: Loss of execution: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no loss of execution is expected caused by persistency. - - EX_01_05: Processing changes to arbitrary process: Failure initiator not applicable at persistency, so no mitigation is needed. - - EX_01_06: Processing is not complete (infinite loop): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no infinite loop is expected caused by persistency. +Fault models + - MF_01_03: Message received too early: Failure initiator not applicable at persistency, so no mitigation is needed. + - MF_01_04: message not received correctly by all recipients (different messages or messages partly lost): Failure initiator not applicable at persistency, so no mitigation is needed. + - MF_01_07: Message is unintended sent: Failure initiator not applicable at persistency. Feature developed fully deterministic, so no unintended messages are expected. + - CO_01_01: Minimum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed. + - CO_01_02: Maximum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed. + - EX_01_01: Process calculates wrong result(s): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no wrong results are expected caused by persistency + - EX_01_02: Processing too slow: Failure initiator not applicable at persistency. The feature is developed fully deterministic, so no processing too slow is expected caused by persistency. + - EX_01_03: Processing too fast: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no processing too fast is expected caused by persistency. + - EX_01_04: Loss of execution: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no loss of execution is expected caused by persistency. + - EX_01_05: Processing changes to arbitrary process: Failure initiator not applicable at persistency, so no mitigation is needed. + - EX_01_06: Processing is not complete (infinite loop): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no infinite loop is expected caused by persistency. .. feat_saf_fmea:: Persistency diff --git a/docs/features/persistency/kvs/safety_planning/index.rst b/docs/features/persistency/kvs/safety_planning/index.rst index a78af6b442..79bd66329e 100644 --- a/docs/features/persistency/kvs/safety_planning/index.rst +++ b/docs/features/persistency/kvs/safety_planning/index.rst @@ -17,6 +17,15 @@ Feature Safety Planning ======================= +.. document:: Persistency KVS Safety WPs + :id: doc__persistency_safety_wp + :status: valid + :safety: ASIL_B + :security: NO + :realizes: PROCESS_wp__platform_safety_plan + :tags: persistency + + .. list-table:: Feature persistency Workproducts :header-rows: 1 diff --git a/docs/modules/persistency/docs/manual/safety_manual.rst b/docs/modules/persistency/docs/manual/safety_manual.rst index d78fbd15ae..df06a185e3 100644 --- a/docs/modules/persistency/docs/manual/safety_manual.rst +++ b/docs/modules/persistency/docs/manual/safety_manual.rst @@ -17,9 +17,11 @@ Safety Manual .. document:: Persistency Safety Manual :id: doc__persistency_safety_manual - :status: draft + :status: valid :safety: ASIL_B - :tags: feature_persistency + :security: NO + :tags: persistency + :realizes: PROCESS_wp__module_safety_manual Introduction/Scope ------------------ diff --git a/docs/modules/persistency/docs/release/release_note.rst b/docs/modules/persistency/docs/release/release_note.rst index 934148e2cf..cd9be065dd 100644 --- a/docs/modules/persistency/docs/release/release_note.rst +++ b/docs/modules/persistency/docs/release/release_note.rst @@ -17,8 +17,9 @@ Release Note .. document:: Persistency Release Note :id: doc__persistency_release_note - :status: draft + :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__module_sw_release_note :tags: persistency diff --git a/docs/modules/persistency/docs/safety_mgt/module_safety_package_fdr.rst b/docs/modules/persistency/docs/safety_mgt/module_safety_package_fdr.rst index ec6149ac07..4be9ed3a7a 100644 --- a/docs/modules/persistency/docs/safety_mgt/module_safety_package_fdr.rst +++ b/docs/modules/persistency/docs/safety_mgt/module_safety_package_fdr.rst @@ -19,6 +19,7 @@ Safety Package Formal Review Report :id: doc__persistency_safety_package_fdr :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__fdr_reports :tags: persistency diff --git a/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst b/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst index 00e166107c..1e84f731f5 100644 --- a/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst +++ b/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst @@ -19,6 +19,7 @@ Module Safety Plan :id: doc__persistency_safety_plan :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__module_safety_plan :tags: persistency diff --git a/docs/modules/persistency/docs/safety_mgt/module_safety_plan_fdr.rst b/docs/modules/persistency/docs/safety_mgt/module_safety_plan_fdr.rst index 56c8a9130f..2bdee0487e 100644 --- a/docs/modules/persistency/docs/safety_mgt/module_safety_plan_fdr.rst +++ b/docs/modules/persistency/docs/safety_mgt/module_safety_plan_fdr.rst @@ -19,6 +19,7 @@ Safety Plan Formal Review Report :id: doc__persistency_safety_plan_fdr :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__fdr_reports :tags: persistency diff --git a/docs/modules/persistency/docs/verification/module_verification_report.rst b/docs/modules/persistency/docs/verification/module_verification_report.rst index 0d0a2b414c..28d230ab2d 100644 --- a/docs/modules/persistency/docs/verification/module_verification_report.rst +++ b/docs/modules/persistency/docs/verification/module_verification_report.rst @@ -17,8 +17,9 @@ Verification Report .. document:: Persistency Verification Report :id: doc__persistency_verification_report - :status: draft + :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__verification_module_ver_report :tags: persistency diff --git a/docs/modules/persistency/index.rst b/docs/modules/persistency/index.rst index be2a2bf678..b7e498ec7c 100644 --- a/docs/modules/persistency/index.rst +++ b/docs/modules/persistency/index.rst @@ -12,8 +12,8 @@ # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* -KVS Module -########## +Persistency KVS Module +###################### .. toctree:: :titlesonly: diff --git a/docs/modules/persistency/json/docs/component_classification.rst b/docs/modules/persistency/json/docs/component_classification.rst index f5ef186051..7f5046718c 100644 --- a/docs/modules/persistency/json/docs/component_classification.rst +++ b/docs/modules/persistency/json/docs/component_classification.rst @@ -19,6 +19,7 @@ Component Classification :id: doc__persistency_component_classification :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__sw_component_class :tags: feature_persistency diff --git a/docs/modules/persistency/json/docs/index.rst b/docs/modules/persistency/json/docs/index.rst index 64f5b47e5b..8b25c6d065 100644 --- a/docs/modules/persistency/json/docs/index.rst +++ b/docs/modules/persistency/json/docs/index.rst @@ -24,8 +24,9 @@ Tiny JSON .. document:: Persistency JSON :id: doc__persistencyjson - :status: draft + :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__cmpt_request :tags: template diff --git a/docs/modules/persistency/kvs/docs/architecture/index.rst b/docs/modules/persistency/kvs/docs/architecture/index.rst index 754dbeeb05..5a74588a2b 100644 --- a/docs/modules/persistency/kvs/docs/architecture/index.rst +++ b/docs/modules/persistency/kvs/docs/architecture/index.rst @@ -18,9 +18,10 @@ Architecture ============ .. document:: Persistency KVS Module Architecture - :id: doc__persistency_kvs_mod_arch - :status: draft + :id: doc__persistency_kvs_architecture + :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__component_arch Overview diff --git a/docs/modules/persistency/kvs/docs/index.rst b/docs/modules/persistency/kvs/docs/index.rst index 4cae409b04..15a829e165 100644 --- a/docs/modules/persistency/kvs/docs/index.rst +++ b/docs/modules/persistency/kvs/docs/index.rst @@ -19,8 +19,9 @@ KVS (Key Value Store) .. document:: Persistency KVS :id: doc__persistencykvs - :status: draft + :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__cmpt_request :tags: Persistency KVS diff --git a/docs/modules/persistency/kvs/docs/requirements/index.rst b/docs/modules/persistency/kvs/docs/requirements/index.rst index daa48f5a70..9e18fb63c7 100644 --- a/docs/modules/persistency/kvs/docs/requirements/index.rst +++ b/docs/modules/persistency/kvs/docs/requirements/index.rst @@ -16,9 +16,10 @@ Requirements ############ .. document:: Persistency KVS Module Requirements - :id: doc__persistency_kvs_mod_req + :id: doc__persistency_kvs_requirements :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__requirements_comp .. comp_req:: Key Naming diff --git a/docs/modules/persistency/kvs/docs/safety_analysis/dfa.rst b/docs/modules/persistency/kvs/docs/safety_analysis/dfa.rst index b84a58c0a0..a97200b049 100644 --- a/docs/modules/persistency/kvs/docs/safety_analysis/dfa.rst +++ b/docs/modules/persistency/kvs/docs/safety_analysis/dfa.rst @@ -17,9 +17,10 @@ Dependent Failure Analysis ========================== .. document:: KVS DFA - :id: doc__kvs_dfa + :id: doc__persistency_kvs_dfa :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__sw_component_dfa :tags: Persistency KVS diff --git a/docs/modules/persistency/kvs/docs/safety_analysis/fmea.rst b/docs/modules/persistency/kvs/docs/safety_analysis/fmea.rst index 7da762350f..1080819166 100644 --- a/docs/modules/persistency/kvs/docs/safety_analysis/fmea.rst +++ b/docs/modules/persistency/kvs/docs/safety_analysis/fmea.rst @@ -13,13 +13,14 @@ # ******************************************************************************* -Safety Analysis : FMEA +Safety Analysis: FMEA ====================== .. document:: KVS FMEA - :id: doc__kvs_fmea + :id: doc__persistency_kvs_fmea :status: valid :safety: ASIL_B + :security: NO :realizes: PROCESS_wp__sw_component_fmea :tags: Persistency KVS From d83923ceb4a39d3b68b746b4f7eac55430de2206 Mon Sep 17 00:00:00 2001 From: pandaedo Date: Thu, 25 Sep 2025 16:01:57 +0200 Subject: [PATCH 2/2] update links safety plan --- .../docs/safety_mgt/module_safety_plan.rst | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst b/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst index 1e84f731f5..a71ac99ffd 100644 --- a/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst +++ b/docs/modules/persistency/docs/safety_mgt/module_safety_plan.rst @@ -101,8 +101,8 @@ Module Workproducts List - :need:`PROCESS_gd_guidl__safety_analysis` - :ndf:`copy('status', need_id='PROCESS_gd_guidl__safety_analysis')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C965 - - :need:`doc__kvs_fmea` - - :ndf:`copy('status', need_id='doc__kvs_fmea')` + - :need:`doc__persistency_kvs_fmea` + - :ndf:`copy('status', need_id='doc__persistency_kvs_fmea')` * - :need:`PROCESS_wp__audit_report` - performed by external experts @@ -156,15 +156,15 @@ Component Workproducts List - :need:`PROCESS_gd_temp__req_comp_req` - :ndf:`copy('status', need_id='PROCESS_gd_temp__req_comp_req')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C960 - - :need:`doc__persistency_kvs_mod_req` - - :ndf:`copy('status', need_id='doc__persistency_kvs_mod_req')` & WP below + - :need:`doc__persistency_kvs_requirements` + - :ndf:`copy('status', need_id='doc__persistency_kvs_requirements')` & WP below * - :need:`PROCESS_wp__requirements_comp_aou` - :need:`PROCESS_gd_temp__req_aou_req` - :ndf:`copy('status', need_id='PROCESS_gd_temp__req_aou_req')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C960 - - :need:`doc__persistency_kvs_mod_req` - - :ndf:`copy('status', need_id='doc__persistency_kvs_mod_req')` & WP below + - :need:`doc__persistency_kvs_requirements` + - :ndf:`copy('status', need_id='doc__persistency_kvs_requirements')` & WP below * - :need:`PROCESS_wp__requirements_inspect` - :need:`PROCESS_gd_chklst__req_inspection` @@ -177,8 +177,8 @@ Component Workproducts List - :need:`PROCESS_gd_temp__arch_comp` - :ndf:`copy('status', need_id='PROCESS_gd_temp__arch_comp')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C1020 - - :need:`doc__persistency_kvs_mod_arch` - - :ndf:`copy('status', need_id='doc__persistency_kvs_mod_arch')` & WP below + - :need:`doc__persistency_kvs_architecture` + - :ndf:`copy('status', need_id='doc__persistency_kvs_architecture')` & WP below * - :need:`PROCESS_wp__sw_arch_verification` - :need:`PROCESS_gd_chklst__arch_inspection_checklist` @@ -191,15 +191,15 @@ Component Workproducts List - :need:`PROCESS_wp__sw_component_fmea` - :ndf:`copy('status', need_id='PROCESS_gd_guidl__safety_analysis')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C965 - - :need:`doc__kvs_fmea` - - :ndf:`copy('status', need_id='doc__kvs_fmea')` & WP below + - :need:`doc__persistency_kvs_fmea` + - :ndf:`copy('status', need_id='doc__persistency_kvs_fmea')` & WP below * - :need:`PROCESS_wp__sw_component_dfa` - :need:`PROCESS_wp__sw_component_dfa` - :ndf:`copy('status', need_id='PROCESS_gd_guidl__safety_analysis')` - https://github.com/eclipse-score/score/issues/952?issue=eclipse-score%7Cscore%7C965 - - :need:`doc__kvs_dfa` - - :ndf:`copy('status', need_id='doc__kvs_dfa')` & WP below + - :need:`doc__persistency_kvs_dfa` + - :ndf:`copy('status', need_id='doc__persistency_kvs_dfa')` & WP below * - :need:`PROCESS_wp__sw_implementation` - :need:`PROCESS_gd_guidl__implementation`