.. # ******************************************************************************* # Copyright (c) 2025 Contributors to the Eclipse Foundation # # See the NOTICE file(s) distributed with this work for additional # information regarding copyright ownership. # # This program and the accompanying materials are made available under the # terms of the Apache License Version 2.0 which is available at # https://www.apache.org/licenses/LICENSE-2.0 # # SPDX-License-Identifier: Apache-2.0 # ******************************************************************************* FMEA (Failure Modes and Effects Analysis) ========================================= .. document:: [Your Feature Name] FMEA :id: doc__feature_example_fmea :status: draft :safety: ASIL_B :security: NO :realizes: wp__feature_fmea :tags: template .. note:: Use the content of the document to describe e.g. why a fault model is not applicable for the diagram. .. attention:: The above directive must be updated according to your Feature. - Modify ``Your Feature Name`` to be your Feature Name - Modify ``id`` to be your Feature Name in upper snake case preceded by ``doc__`` and succeeded by ``_fmea`` - Adjust ``status`` to be ``valid`` - Adjust ``safety`` and ``tags`` according to your needs The FMEA for the feature [Your Feature Name] is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the following tables. For all applicable failure initiators, the FMEA has to be performed. Failure Mode List ----------------- Fault Models for sequence diagrams .. list-table:: Fault Models for sequence diagrams :header-rows: 1 :widths: 10,20,10,20 * - ID - Failure Mode - Applicability - Rationale * - MF_01_01 - message is not received (is a subset/more precise description of MF_01_05) - - * - MF_01_02 - message received too late (only relevant if delay is a realistic fault) - - * - MF_01_03 - message received too early (usually not a problem) - - * - MF_01_04 - message not received correctly by all recipients (different messages or messages partly lost). Only relevant if the same message goes to multiple recipients. - - * - MF_01_05 - message is corrupted - - * - MF_01_06 - message is not sent - - * - MF_01_07 - message is unintended sent - - * - CO_01_01 - minimum constraint boundary is violated - - * - CO_01_02 - maximum constraint boundary is violated - - * - EX_01_01 - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature. - - * - EX_01_02 - processing too slow (only relevant if timing is considered) - - * - EX_01_03 - processing too fast (only relevant if timing is considered) - - * - EX_01_04 - loss of execution - - * - EX_01_05 - processing changes to arbitrary process - - * - EX_01_06 - processing is not complete (infinite loop) - - FMEA ---- For all identified applicable failure initiators, the FMEA is performed in the following section. .. code-block:: rst .. feat_saf_fmea:: :violates: <Feature architecture> :id: feat_saf_fmea__<Feature>__<Element descriptor> :fault_id: <ID from fault model :need:`gd_guidl__fault_models`> :failure_effect: "description of failure effect of the fault model on the element" :mitigated_by: <ID from Feature Requirement | ID from AoU Feature Requirement> :mitigation_issue: <ID from Issue Tracker> :sufficient: <yes|no> :status: <valid|invalid> .. note:: Argument is inside the 'content'. Therefore content is mandatory. .. attention:: The above directive must be updated according to your feature FMEA. - The above "code-block" directive must be updated - Fill in all the needed information in the <brackets>