Merge pull request #438 from etas-contrib/improvement_safety_linkage_and_checklist_improvement

Improvement safety linkage and checklist improvement

Author: masc2023

process/folder_templates/features/feature_name/architecture/chklst_arc_inspection.rst

@@ -162,3 +162,23 @@ Checklist
       -
       -
       -
+    * - ARC_04_01
+      - If software partitioning (different operating system processes) is used to implement freedom from interference between the processes with different rating (QM/ASIL), is effectiveness evidence generated during integration and verification tests?
+
+        Note: see ISO 26262-6, 7.4.9 and Annex D for partitioning
+      - manual
+      -
+        a) the usage of shared resources (cpu time, shared memory, ...) are checked in a wao that freedom from interference between the processes is ensured,
+        b) check if the operating system supports freedom from interference between the processes
+      -
+      -
+      -
+    * - ARC_04_02
+      - Is an upper estimation of the required resources (RAM, ROM, non volatile memory, communication) available and documented?
+
+        Note: see ISO 26262-6, 7.4.11
+      - manual
+      -
+      -
+      -
+      -

process/folder_templates/features/feature_name/requirements/chklst_req_inspection.rst

@@ -94,12 +94,6 @@ Requirement Inspection Checklist
         -
         -
       * - REQ_03_01
-        - For stakeholder requirements: Is the *rationale* correct?
-        - Rationales explain why the top level requirements were created. Do those cover the requirement?
-        -
-        -
-        -
-      * - REQ_03_02
         - Is the *linkage to the parent requirement* correct?
         - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement.
         -
@@ -130,7 +124,7 @@ Requirement Inspection Checklist
         -
         -
       * - REQ_07_02
-        - Is the attribute *security* set correctly?
+        - Is the *security* attribute set correctly?
         - For feature requirements this checklist item is supported by automated check: "Every requirement which satisfies a stakeholder requirement with security attribute set to YES inherits this". But the feature requirements/architecture may additionally also be subject to a :ref:`Software Security Analysis <security_analysis>`.
         -
         -
@@ -142,12 +136,6 @@ Requirement Inspection Checklist
         -
         -
       * - REQ_09_01
-        - For stakeholder requirements: Do those cover assumed safety mechanisms needed by the hardware and system?
-        - Note that stakeholder requirements covering safety mechanisms come from rationales, whereas feature requirements are covering safety mechanisms coming from :need:`gd_chklst__safety_analysis`
-        -
-        -
-        -
-      * - REQ_09_02
         - Do the feature requirements defining a safety mechanism contain the error reaction leading to a safe state?
         - Alternatively to the safe state there could also be "repair" mechanisms. Also do not forget to consider REQ_05_01 for these.
         -

process/folder_templates/modules/module_name/component_name/docs/requirements/chklst_req_inspection.rst

@@ -94,12 +94,6 @@ Requirement Inspection Checklist
         -
         -
       * - REQ_03_01
-        - For stakeholder requirements: Is the *rationale* correct?
-        - Rationales explain why the top level requirements were created. Do those cover the requirement?
-        -
-        -
-        -
-      * - REQ_03_02
         - Is the *linkage to the parent feature/component requirement* correct?
         - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement.
         -
@@ -142,12 +136,6 @@ Requirement Inspection Checklist
         -
         -
       * - REQ_09_01
-        - Note that stakeholder requirements covering safety mechanisms come from rationales, whereas component requirements are covering safety mechanisms coming from :need:`gd_chklst__safety_analysis`
-        -
-        -
-        -
-        -
-      * - REQ_09_02
         - Do the requirements that define a safety mechanism specify the error reaction leading to a safe state?
         - Alternatively to the safe state there could also be "repair" mechanisms. Also do not forget to consider REQ_05_01 for these.
         -

process/folder_templates/platform/index.rst

@@ -21,4 +21,5 @@ Platform
    :hidden:
 
    safety_analysis/platform_dfa.rst
+   requirements/stakeholder/chklst_req_inspection.rst
    safety_planning/index.rst

process/folder_templates/platform/requirements/stakeholder/chklst_req_inspection.rst

@@ -0,0 +1,178 @@
+..
+   # *******************************************************************************
+   # Copyright (c) 2025 Contributors to the Eclipse Foundation
+   #
+   # See the NOTICE file(s) distributed with this work for additional
+   # information regarding copyright ownership.
+   #
+   # This program and the accompanying materials are made available under the
+   # terms of the Apache License Version 2.0 which is available at
+   # https://www.apache.org/licenses/LICENSE-2.0
+   #
+   # SPDX-License-Identifier: Apache-2.0
+   # *******************************************************************************
+
+
+.. document:: [Your Stakeholder Name] Requirements Inspection Checklist
+   :id: doc__stakeholder_name_req_inspection
+   :status: draft
+   :safety: ASIL_B
+   :security: YES
+   :realizes: wp__requirements_inspect
+   :tags: template
+
+.. attention::
+    The above directive must be updated according to your Stakeholder.
+
+    - Modify ``Your Stakeholder Name`` to be your Stakeholder Name
+    - Modify ``id`` to be your Stakeholder Name in lower snake case preceded by ``doc__`` and followed by ``_req_inspection``
+    - Adjust ``status`` to be ``valid``
+    - Adjust ``safety``, ``security`` and ``tags`` according to your needs
+
+Stakeholder Requirement Inspection Checklist
+============================================
+
+   **Purpose**
+
+   The purpose of this requirement inspection checklist is to collect the topics to be checked during requirements inspection.
+
+   **Conduct**
+
+   As described in the concept :need:`doc_concept__wp_inspections` the following "inspection roles" are expected to be filled:
+
+   - author: these are the persons who did the last commits on the requirements in scope (can be derived from version mgt tool)
+   - reviewer: these are all persons committing into this inspection document or giving a pull request verdict on it (can be derived from version mgt tool)
+   - moderator: only needed for conflict resolution between author and reviewers, is the safety manager, security manager or quality manager called in as a reviewer (can be derived from version mgt tool)
+   - test expert: <one of the reviewers explicitly named here, to cover REQ_08_01 as described>
+
+   **Checklist**
+
+   .. list-table:: Stakeholder Requirement Inspection Checklist
+      :header-rows: 1
+      :widths: 10,30,50,6,6,8
+
+      * - Review ID
+        - Acceptance Criteria
+        - Guidance
+        - Passed
+        - Remarks
+        - Issue link
+      * - REQ_01_01
+        - Is the requirement formulation template used?
+        - see :need:`gd_temp__req_formulation`, this includes the use of "shall".
+        -
+        -
+        -
+      * - REQ_02_01
+        - Is the requirement description *comprehensible* ?
+        - If you think the requirement is hard to understand, comment here.
+        -
+        -
+        -
+      * - REQ_02_02
+        - Is the requirement description *unambiguous* ?
+        - Especially search for "weak words" like "about", "etc.", "relevant" and others (see the internet documentation on this). This check shall be supported by tooling.
+        -
+        -
+        -
+      * - REQ_02_03
+        - Is the requirement description *atomic* ?
+        - A good way to think about this is to consider if the requirement may be tested by one (positive) test case or needs more of these. The requirement formulation template should also avoid being non-atomic already. Note that there are cases where also non-atomic requirements are the better ones, for example if those are better understandable.
+        -
+        -
+        -
+      * - REQ_02_04
+        - Is the requirement description *feasible* ?
+        - If at the time of the inspection the requirement has already some implementation, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_impl` shows this. In case the requirement has no implementation at the time of inspection (i.e. not implemented at least as "proof-of-concept"), a development expert should be invited to the Pull-Request review to explicitly check this item.
+        -
+        -
+        -
+      * - REQ_02_05
+        - Is the requirement description *independent from implementation* ?
+        - This checkpoint should improve requirements definition in the sense that the "what" is described and not the "how" - the latter should be described in architecture/design derived from the requirement. But there can also be a good reason for this, for example we would require using a file format like JSON and even specify the formatting standard already on stakeholder requirement level because we want to be compatible. A finding in this checkpoint does not mean there is a safety problem in the requirement.
+        -
+        -
+        -
+      * - REQ_03_01
+        - Is the *rationale* correct?
+        - Rationales explain why the top level requirements were created. Do those cover the requirement?
+        -
+        -
+        -
+      * - REQ_03_02
+        - Is the *linkage to the parent requirement* correct?
+        - Linkage to correct levels and ASIL attributes is checked automatically, but it needs checking if the child requirement implements (at least) a part of the parent requirement.
+        -
+        -
+        -
+      * - REQ_04_01
+        - Is the requirement *internally and externally consistent*?
+        - Does the requirement contradict other requirements within the same or higher levels?
+        -
+        -
+        -
+      * - REQ_05_01
+        - Do the software requirements consider *timing constraints*?
+        - This checkpoint encourages to think about timing constraints even if those are not explicitly mentioned in the parent requirement. If the reviewer of a requirement already knows or suspects that the code execution will be consuming a lot of time, one should think of the expectation of a "user".
+        -
+        -
+        -
+      * - REQ_06_01
+        - Does the requirement consider *external interfaces*?
+        - The SW platform's external interfaces (to the user and external systems) are defined, so the Feature and Component Requirements should determine the input data use and setting of output data for these interfaces. Are all output values defined?
+        -
+        -
+        -
+      * - REQ_07_01
+        - Is the *safety* attribute set correctly?
+        - For the top level requirements (and also all AoU) this needs to be checked manually for correctness.
+        -
+        -
+        -
+      * - REQ_07_02
+        - Is the *security* attribute set correctly?
+        - For the top level requirements (and also all AoU) this needs to be checked manually for correctness.
+        -
+        -
+        -
+      * - REQ_08_01
+        - Is the requirement *verifiable*?
+        - If at the time of the inspection already tests are created for the requirement, the answer is yes. This can be checked via traces, but also :need:`gd_req__req_attr_test_covered` shows this. In case the requirement is not sufficiently traced to test cases already, a test expert is invited to the inspection to give his opinion whether the requirement is formulated in a way that supports test development and the available test infrastructure is sufficient to perform the test.
+        -
+        -
+        -
+      * - REQ_09_01
+        - Do those requirements cover assumed safety mechanisms needed by the hardware and system?
+        - Note that stakeholder requirements covering safety mechanisms come from rationales.
+        -
+        -
+        -
+
+Note: If a Review ID is not applicable for your requirement, then state ""n/a" in status and comment accordingly in remarks. For example "no stakeholder requirement (no rationale needed)"
+
+The following requirements in "valid" state and with "inspected" tag set are in the scope of this inspection:
+
+.. needtable::
+   :filter: "stakeholder_name" in docname and "requirements" in docname and docname is not None and status == "valid"
+   :style: table
+   :types: stkh_req
+   :tags: stakeholder_name
+   :columns: id;status;tags
+   :colwidths: 25,25,25
+   :sort: title
+
+And also the following AoUs in "valid" state and with "inspected" tag set (for these please answer the questions above as if the AoUs are requirements, except questions REQ_03_01 and REQ_03_02):
+
+.. needtable::
+   :filter: "stakeholder_name" in docname and "requirements" in docname and docname is not None and status == "valid"
+   :style: table
+   :types: aou_req
+   :tags: stakeholder_name
+   :columns: id;status;tags
+   :colwidths: 25,25,25
+   :sort: title
+
+.. attention::
+    The above tables filtering must be updated according to your Stakeholder.
+
+    - Modify ``stakeholder_name`` to be your Stakeholder Name in lower snake case

process/process_areas/architecture_design/guidance/architecture_guideline.rst

@@ -20,7 +20,7 @@ Architecture Guideline
 .. gd_guidl:: Architectural Design
    :id: gd_guidl__arch_design
    :status: valid
-   :complies: std_req__isopas8926__44411, std_req__isopas8926__44412, std_req__iso26262__software_745
+   :complies: std_req__isopas8926__44411, std_req__isopas8926__44412, std_req__iso26262__software_744, std_req__iso26262__software_745
 
 The guideline focuses on the steps which need to be performed in order to create the architectural design. The concept behind those steps is described in the :need:`[[title]] <doc_concept__arch_process>`.
 

process/process_areas/architecture_design/guidance/architecture_inspection_checklist.rst

@@ -21,7 +21,7 @@ Inspection Checklist Template
     :id: gd_chklst__arch_inspection_checklist
     :status: valid
     :tags: architecture_design
-    :complies: std_req__iso26262__software_647
+    :complies: std_req__iso26262__software_647, std_req__iso26262__software_749, std_req__iso26262__software_7413
 
     For the content see here:
 

process/process_areas/architecture_design/guidance/architecture_process_reqs.rst

@@ -106,9 +106,9 @@ Attributes of Architectural Elements
 
    Each architectural element shall have a unique ID. It shall be in a format which is also human readable and consists of
 
-      * type of architectural element
-      * structural element (e.g. some part of the feature tree, component acronym)
-      * keyword describing the content of the architectural element
+   * type of architectural element
+   * structural element (e.g. some part of the feature tree, component acronym)
+   * keyword describing the content of the architectural element
 
    Check your project's naming conventions (should be called "doc__naming_conventions")
 
@@ -120,8 +120,8 @@ Attributes of Architectural Elements
 
    Each architectural element shall have a security relevance identifier:
 
-      * Yes
-      * No
+   * Yes
+   * No
 
 .. gd_req:: Architecture attribute: safety
    :id: gd_req__arch_attr_safety
@@ -132,8 +132,8 @@ Attributes of Architectural Elements
 
    Each architectural element shall have a automotive safety integrity level (ASIL) identifier:
 
-      * QM
-      * ASIL_B
+   * QM
+   * ASIL_B
 
 .. gd_req:: Architecture attribute: status
    :id: gd_req__arch_attr_status
@@ -144,8 +144,8 @@ Attributes of Architectural Elements
 
    Each architectural element shall have a status:
 
-      * valid
-      * invalid
+   * valid
+   * invalid
 
 Traceability to Requirements
 ----------------------------
@@ -206,6 +206,7 @@ Checks for Architectural Design
    :status: valid
    :tags: prio_1_automation, attribute, check
    :satisfies: wf__cr_mt_featarch, wf__cr_mt_comparch
+   :complies: std_req__iso26262__software_746, std_req__iso26262__software_748
 
    It shall be checked that valid safety architectural elements (Safety != QM) can only be linked against valid safety architectural elements.
 

process/process_areas/architecture_design/guidance/component_architecture_template.rst

@@ -19,6 +19,6 @@ Component Architecture Template
     :id: gd_temp__arch_comp
     :status: valid
     :tags: architecture_design
-    :complies: std_req__iso26262__software_741, std_req__iso26262__software_742, std_req__iso26262__software_743
+    :complies: std_req__iso26262__software_741, std_req__iso26262__software_742, std_req__iso26262__software_743, std_req__iso26262__software_744
 
     For the content see here: :ref:`component_architecture_template`

process/process_areas/implementation/guidance/detailed_design_template.rst

@@ -19,6 +19,6 @@ Detailed Design Template
 .. gd_temp:: Detailed Design Templates
    :id: gd_temp__detailed_design
    :status: valid
-   :complies: std_req__iso26262__software_542, std_req__iso26262__support_641, std_req__iso26262__support_6421, std_req__iso26262__support_6425
+   :complies: std_req__iso26262__software_542, std_req__iso26262__support_641, std_req__iso26262__support_6421, std_req__iso26262__support_6425, std_req__iso26262__software_744
 
    For the content see here: :ref:`component_detailed_design_template`