Platform DFA (Dependent Failure Analysis)

Platform DFA		status: draft security: NO safety: ASIL_B
tags: template, platform realizes: wp__platform_dfa
doc__platform_dfa		Generic Document

Note

The platform DFA is only performed once at platform level to analyse the dependencies between the features of the platform. The results shall be used as an input for the safety analysis so that general safety mechanisms are only defined once and not in every single safety analysis.

Note

Use the content of the document to describe e.g. why a fault model is not applicable for the diagram.

The DFA for the platform is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the following tables. For all applicable failure initiators, the DFA has to be performed.

Dependent Failure Initiators

2.1 Shared resources

Note

Shared libraries is only than applicable as a shared resource if the feature and the related safety mechanisms are using this specific library. If the library is not used by the feature or the related safety mechanisms, it is not a shared resource.

Table 90 DFA shared resources (used for Platform DFA)

ID	Violation cause shared resources	Applicability	Rationale
SR_01_01	Reused software modules	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_02	Libraries	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_04	Basic software	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_05	Operating system including scheduler	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_06	Any service stack, e.g. communication stack	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_07	Configuration data	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_09	Execution time	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SR_01_10	Allocated memory	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>

2.2 Communication between the two elements:

Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender.

Table 91 DFA communication between elements

ID	Violation cause communication between elements	Applicability	Rationale
CO_01_01	Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow)	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_02	Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_03	Insertion / sequence of information	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_04	Corruption of information, inconsistent data	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_05	Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_06	Information from a sender received by only a subset of the receivers	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
CO_01_07	Blocking access to a communication channel	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>

2.3 Shared information inputs

Same information input used by multiple functions.

Table 92 DFA shared information inputs

ID	Violation cause shared information inputs	Applicability	Rationale
SI_01_02	Configuration data	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SI_01_03	Constants, or variables, being global to the two software functions	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SI_01_04	Basic software passes data (read from hardware register and converted into logical information) to two applications software functions	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SI_01_05	Data / function parameter arguments / messages delivered by software function to more than one other function	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>

2.4 Unintended impact

Unintended impacts to function due to various failures.

Table 93 DFA unintended impact

ID	Violation cause unintended impact	Applicability	Rationale
UI_01_01	Memory miss-allocation and leaks	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_02	Read/Write access to memory allocated to another software element	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_03	Stack/Buffer under-/overflow	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_04	Deadlocks	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_05	Livelocks	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_06	Blocking of execution	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_07	Incorrect allocation of execution time	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_08	Incorrect execution flow	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_09	Incorrect synchronization between software elements	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_10	CPU time depletion	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_11	Memory depletion	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
UI_01_12	Other HW unavailability	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>

Development failure initiators

Section is only applicable if a divers SW development is needed due to decomposition.

note:

Section shall be applied only once to analyse all dependencies of the features. Results shall be checked during of the analysis of new features if this is applicable to the feature.

Table 94 DFA development failure initiators (Platform DFA)

ID	Violation cause development failure initiators	Applicability	Rationale
SC_01_02	Same development approaches (e.g. IDE, programming and/or modelling language)	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SC_01_03	Same personal	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SC_01_04	Same social-cultural context (even if different personnel). Only applicable if diverse development is needed.	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>
SC_01_05	Development fault (e.g. human error, insufficient qualification, insufficient methods). Only applicable if diverse development is needed.	<yes | no>	<Rationale if not applicable, otherwise link to filled out DFA>

DFA

For all identified applicable failure initiators, the DFA is performed in the following section.

.. plat_saf_dfa:: <Title>
   :violates: <Feature architecture>
   :id: plat_saf_DFA__Platform__<Element descriptor>
   :failure_id: <ID from DFA failure initiators :need:`gd_guidl__dfa_failure_initiators`>
   :failure_effect: "description of failure effect of the failure initiator on the element"
   :mitigated_by: <ID from Stakeholder Requirement | ID from AoU Feature Requirement>
   :mitigation_issue: <ID from Issue Tracker>
   :sufficient: <yes|no>
   :status: <valid|invalid>

Note

Argument is inside the ‘content’. Therefore content is mandatory.

Attention

The above directive must be updated according to the platform DFA.

• The above “code-block” directive must be updated

• Fill in all the needed information in the <brackets>