update safety analysis templates

Author: PandaeDo

process/folder_templates/features/feature_name/safety_analysis/dfa.rst

@@ -34,9 +34,222 @@ DFA (Dependent Failure Analysis)
     - Adjust ``status`` to be ``valid``
     - Adjust ``safety`` and ``tags`` according to your needs
 
+The DFA for the feature [Your Feature Name] is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the
+following tables. For all applicable failure initiators, the DFA has to be performed.
+
 Dependent Failure Initiators
 ----------------------------
 
+2.1 Shared resources
+
+.. note:: Shared libraries is only than applicable as a shared resource if the feature and the related safety mechanisms are using this specific library. If the library is not used by the feature or the related safety mechanisms, it is not a shared resource.
+
+
+.. list-table:: DFA shared resources (used for Platform DFA)
+  :header-rows: 1
+  :widths: 10,20,10,20
+
+  * - ID
+    - Violation cause shared resources
+    - Applicability
+    - Rationale
+  * - SR_01_01
+    - Reused software modules
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_02
+    - Libraries
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_04
+    - Basic software
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_05
+    - Operating system including scheduler
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_06
+    - Any service stack, e.g. communication stack
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_07
+    - Configuration data
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_09
+    - Execution time
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SR_01_10
+    - Allocated memory
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+
+
+| 2.2 Communication between the two elements:
+| Receiving function is affected by information that is false, lost, sent multiple times, or in the wrong order etc. from the sender.
+
+.. list-table:: DFA communication between elements
+  :header-rows: 1
+  :widths: 10,20,10,20
+
+  * - ID
+    - Violation cause communication between elements
+    - Applicability
+    - Rationale
+  * - CO_01_01
+    - Information passed via argument through a function call, or via writing/reading a variable being global to the two software functions (data flow)
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_02
+    - Data or message corruption / repetition / loss / delay / masquerading or incorrect addressing of information
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_03
+    - Insertion / sequence of information
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_04
+    - Corruption of information, inconsistent data
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_05
+    - Asymmetric information sent from a sender to multiple receivers, so that not all defined receivers have the same information
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_06
+    - Information from a sender received by only a subset of the receivers
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - CO_01_07
+    - Blocking access to a communication channel
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+
+| 2.3 Shared information inputs
+| Same information input used by multiple functions.
+
+.. list-table:: DFA shared information inputs
+  :header-rows: 1
+  :widths: 10,20,10,20
+
+  * - ID
+    - Violation cause shared information inputs
+    - Applicability
+    - Rationale
+  * - SI_01_02
+    - Configuration data
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SI_01_03
+    - Constants, or variables, being global to the two software functions
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SI_01_04
+    - Basic software passes data (read from hardware register and converted into logical information) to two applications software functions
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SI_01_05
+    - Data / function parameter arguments / messages delivered by software function to more than one other function
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+
+| 2.4 Unintended impact
+| Unintended impacts to function due to various failures.
+
+.. list-table:: DFA unintended impact
+  :header-rows: 1
+  :widths: 10,20,10,20
+
+  * - ID
+    - Violation cause unintended impact
+    - Applicability
+    - Rationale
+  * - UI_01_01
+    - Memory miss-allocation and leaks
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_02
+    - Read/Write access to memory allocated to another software element
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_03
+    - Stack/Buffer under-/overflow
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_04
+    - Deadlocks
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_05
+    - Livelocks
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_06
+    - Blocking of execution
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_07
+    - Incorrect allocation of execution time
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_08
+    - Incorrect execution flow
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_09
+    - Incorrect synchronization between software elements
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_10
+    - CPU time depletion
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_11
+    - Memory depletion
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - UI_01_12
+    - Other HW unavailability
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+
+| Development failure initiators
+| Section is **only applicable if a divers SW development is needed** due to decomposition.
+
+:note: Section shall be applied only once to analyse all dependencies of the features. Results shall be checked during of the analysis of new features if this is applicable to the feature.
+
+.. list-table:: DFA development failure initiators (Platform DFA)
+  :header-rows: 1
+  :widths: 10,20,10,20
+
+  * - ID
+    - Violation cause development failure initiators
+    - Applicability
+    - Rationale
+  * - SC_01_02
+    - Same development approaches (e.g. IDE, programming and/or modelling language)
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SC_01_03
+    - Same personal
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SC_01_04
+    - Same social-cultural context (even if different personnel). Only applicable if diverse development is needed.
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+  * - SC_01_05
+    - Development fault (e.g. human error, insufficient qualification, insufficient methods). Only applicable if diverse development is needed.
+    - <yes | no>
+    - <Rationale if not applicable, otherwise link to filled out DFA>
+
+
+DFA
+---
+For all identified applicable failure initiators, the DFA is performed in the following section.
+
 .. code-block:: rst
 
     .. feat_saf_dfa:: <Title>

process/folder_templates/features/feature_name/safety_analysis/fmea.rst

@@ -34,9 +34,86 @@ FMEA (Failure Modes and Effects Analysis)
     - Adjust ``status`` to be ``valid``
     - Adjust ``safety`` and ``tags`` according to your needs
 
+The FMEA for the feature [Your Feature Name] is performed. To show evidence that all failure initiators are considered, the applicability has to be filled out in the
+following tables. For all applicable failure initiators, the FMEA has to be performed.
+
 Failure Mode List
 -----------------
 
+Fault Models for sequence diagrams
+  .. list-table:: Fault Models for sequence diagrams
+     :header-rows: 1
+     :widths: 10,20,10,20
+
+    * - ID
+      - Failure Mode
+      - Applicability
+      - Rationale
+    * - MF_01_01
+      - message is not received (is a subset/more precise description of MF_01_05)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_02
+      - message received too late (only relevant if delay is a realistic fault)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_03
+      - message received too early (usually not a problem)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_04
+      - message not received correctly by all recipients (different messages or messages partly lost). Only relevant if the same message goes to multiple recipients.
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_05
+      - message is corrupted
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_06
+      - message is not sent
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - MF_01_07
+      - message is unintended sent
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - CO_01_01
+      - minimum constraint boundary is violated
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - CO_01_02
+      - maximum constraint boundary is violated
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_01
+      - Process calculates wrong result(s) (is a subset/more precise description of MF_01_05 or MF_01_04). This failure mode is related to the analysis if e.g. internal safety mechanisms are required (level 2 function, plausibility check of the output, …) because of the size / complexity of the feature.
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_02
+      - processing too slow (only relevant if timing is considered)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_03
+      - processing too fast (only relevant if timing is considered)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_04
+      - loss of execution
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_05
+      - processing changes to arbitrary process
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+    * - EX_01_06
+      - processing is not complete (infinite loop)
+      - <yes | no>
+      - <Rationale if not applicable, otherwise link to filled out FMEA>
+
+FMEA
+----
+For all identified applicable failure initiators, the FMEA is performed in the following section.
+
 .. code-block:: rst