FMEA (Failure Modes and Effects Analysis)

Persistency FMEA		status: valid security: NO safety: ASIL_B
tags: persistency realizes: wp__feature_fmea
doc__persistency_fmea		Generic Document

For the FMEA analysis where the fault models gd_guidl__fault_models are used. The following fault models doesn’t apply to the persistency feature:

Fault models

• MF_01_03: Message received too early: Failure initiator not applicable at persistency, so no mitigation is needed.

• MF_01_04: message not received correctly by all recipients (different messages or messages partly lost): Failure initiator not applicable at persistency, so no mitigation is needed.

• MF_01_07: Message is unintended sent: Failure initiator not applicable at persistency. Feature developed fully deterministic, so no unintended messages are expected.

• CO_01_01: Minimum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed.

• CO_01_02: Maximum constraint boundary is violated: Failure initiator not applicable at persistency, so no mitigation is needed.

• EX_01_01: Process calculates wrong result(s): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no wrong results are expected caused by persistency

• EX_01_02: Processing too slow: Failure initiator not applicable at persistency. The feature is developed fully deterministic, so no processing too slow is expected caused by persistency.

• EX_01_03: Processing too fast: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no processing too fast is expected caused by persistency.

• EX_01_04: Loss of execution: Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no loss of execution is expected caused by persistency.

• EX_01_05: Processing changes to arbitrary process: Failure initiator not applicable at persistency, so no mitigation is needed.

• EX_01_06: Processing is not complete (infinite loop): Failure initiator not applicable at persistency, so no mitigation is needed. The feature is developed fully deterministic, so no infinite loop is expected caused by persistency.

Failure Mode List

id	violates	fault_id	failure_effect	mitigated_by	sufficient	status	safety_relevant	root_cause	content
feat_saf_fmea__persistency__message_nreived	feat_arc_dyn__persistency__check_key_default, feat_arc_dyn__persistency__delete_key, feat_arc_dyn__persistency__flush, feat_arc_dyn__persistency__read_key, feat_arc_dyn__persistency__read_from_storage, feat_arc_dyn__persistency__write_key, feat_arc_dyn__persistency__snapshot_restore	MF_01_01	Message is not received so the feature persistency is not available.	aou_req__persistency__error_handling	yes	valid	NA	NA	User is not able to use the feature. Middleware cant be used. User is not able to use the feature. Middleware cant be used. Loss of execution can only be caused by the application, not by the persistency feature itself. Failure handling is addressed to the application by the aou_req__persistency__error_handling.
feat_saf_fmea__persistency__late_message	feat_arc_dyn__persistency__check_key_default, feat_arc_dyn__persistency__delete_key, feat_arc_dyn__persistency__flush, feat_arc_dyn__persistency__read_key, feat_arc_dyn__persistency__read_from_storage, feat_arc_dyn__persistency__write_key, feat_arc_dyn__persistency__snapshot_restore	MF_01_02	message received too late.	aou_req__persistency__error_handling	yes	valid	NA	NA	Subset of MF_01_01 if the delay is to long.
feat_saf_fmea__persistency__corrupted_message	feat_arc_dyn__persistency__check_key_default, feat_arc_dyn__persistency__delete_key, feat_arc_dyn__persistency__flush, feat_arc_dyn__persistency__read_key, feat_arc_dyn__persistency__read_from_storage, feat_arc_dyn__persistency__write_key, feat_arc_dyn__persistency__snapshot_restore	MF_01_05	message is corrupted so the feature persistency is not available.	aou_req__persistency__error_handling	yes	valid	NA	NA	Covered by MF_01_01
feat_saf_fmea__persistency__not_sent	feat_arc_dyn__persistency__check_key_default, feat_arc_dyn__persistency__delete_key, feat_arc_dyn__persistency__flush, feat_arc_dyn__persistency__read_key, feat_arc_dyn__persistency__read_from_storage, feat_arc_dyn__persistency__write_key, feat_arc_dyn__persistency__snapshot_restore	MF_01_06	message is not sent so the feature persistency is not available.	aou_req__persistency__error_handling	yes	valid	NA	NA	Covered by MF_01_01 because the violation cause is the same.
feat_saf_fmea__persistency__err_handl	feat_arc_dyn__persistency__check_key_default, feat_arc_dyn__persistency__delete_key, feat_arc_dyn__persistency__flush, feat_arc_dyn__persistency__read_key, feat_arc_dyn__persistency__read_from_storage, feat_arc_dyn__persistency__write_key, feat_arc_dyn__persistency__snapshot_restore	EX_01_04	loss of execution will lead to an unavailability of the persistency feature.	aou_req__persistency__error_handling	yes	valid	NA	NA	User is not able to use the feature. Middleware cant be used. Loss of execution can only be caused by the application, not by the persistency feature itself. Failure handling is addressed to the application by the aou_req__persistency__error_handling.