-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfmea.json
More file actions
248 lines (248 loc) · 9.85 KB
/
Copy pathfmea.json
File metadata and controls
248 lines (248 loc) · 9.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
{
"version": "1",
"standard": "ISO 26262-9:2018",
"component": "cpp-LIN",
"date": "2026-06-19",
"asil": "ASIL-B",
"fmea_entries": [
{
"id": "FMEA-01",
"item": "validate_frame()",
"module": "M-01 Core",
"req_refs": ["REQ-LIN-001", "REQ-LIN-002", "REQ-LIN-003"],
"failure_mode": "Accepts frame with ID > 0x3F or data length 0 or > 8",
"failure_effect_local": "Invalid frame enters bus processing pipeline",
"failure_effect_system": "Downstream ECU receives corrupt data; potential actuator miscommand",
"hazard_ref": "H-01",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Boundary tests REQ-LIN-001..003,015..017; ASan in CI",
"status": "Closed"
},
{
"id": "FMEA-02",
"item": "protect_id()",
"module": "M-01 Core",
"req_refs": ["REQ-LIN-004", "REQ-LIN-005", "REQ-LIN-018"],
"failure_mode": "P0 or P1 parity bit computed incorrectly",
"failure_effect_local": "PID byte has wrong parity bits",
"failure_effect_system": "Slave rejects header; master gets ErrNoResponse; safety degradation",
"hazard_ref": "H-02",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Known-vector tests REQ-LIN-004..007; verify_pid cross-check",
"status": "Closed"
},
{
"id": "FMEA-03",
"item": "verify_pid()",
"module": "M-01 Core",
"req_refs": ["REQ-LIN-006", "REQ-LIN-007"],
"failure_mode": "Incorrect parity accepted or correct parity rejected",
"failure_effect_local": "Frame with corrupt ID accepted, or valid frame rejected",
"failure_effect_system": "Wrong frame ID processed; potential wrong actuator targeted",
"hazard_ref": "H-02",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Unit tests for accept/reject cases; protect_id/verify_pid round-trip",
"status": "Closed"
},
{
"id": "FMEA-04",
"item": "calc_checksum()",
"module": "M-01 Core",
"req_refs": ["REQ-LIN-008", "REQ-LIN-009", "REQ-LIN-010"],
"failure_mode": "Wrong checksum for classic or enhanced type; carry-around error",
"failure_effect_local": "Frame has incorrect checksum field",
"failure_effect_system": "Hardware slave rejects frame; protocol violation",
"hazard_ref": "H-03",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Classic and enhanced checksum known-vector tests",
"status": "Closed"
},
{
"id": "FMEA-05",
"item": "virt::Bus::publish()",
"module": "M-02 Virtual Bus",
"req_refs": ["REQ-VIRT-002", "REQ-VIRT-003", "REQ-VIRT-004", "REQ-VIRT-005"],
"failure_mode": "Data race: concurrent publish() corrupts response table",
"failure_effect_local": "Wrong payload stored; subsequent send_header delivers corrupt data",
"failure_effect_system": "Wrong sensor value propagated to actuator",
"hazard_ref": "H-01",
"severity": "S3",
"occurrence": "O2",
"detection": "D1",
"rpn": 6,
"mitigation": "shared_mutex exclusive-write; REQ-VIRT-018 ThreadSanitizer gate in CI",
"status": "Closed"
},
{
"id": "FMEA-06",
"item": "virt::Bus::send_header()",
"module": "M-02 Virtual Bus",
"req_refs": ["REQ-VIRT-006", "REQ-VIRT-007", "REQ-VIRT-008", "REQ-VIRT-009"],
"failure_mode": "Frame delivered to wrong subscriber due to filter logic error",
"failure_effect_local": "Subscriber receives frame with wrong ID",
"failure_effect_system": "Application processes wrong signal; potential miscommand",
"hazard_ref": "H-01",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Filter isolation tests REQ-VIRT-011; multiple-subscriber tests REQ-VIRT-014",
"status": "Closed"
},
{
"id": "FMEA-07",
"item": "virt::Bus subscriber channel full",
"module": "M-02 Virtual Bus",
"req_refs": ["REQ-VIRT-013"],
"failure_mode": "Full subscriber channel blocks send_header, stalling master schedule",
"failure_effect_local": "LIN schedule stalls; no frames sent",
"failure_effect_system": "Total loss of LIN communication; safety degradation",
"hazard_ref": "H-05",
"severity": "S3",
"occurrence": "O2",
"detection": "D2",
"rpn": 12,
"mitigation": "Backpressure: full channel drops frame (REQ-VIRT-013); bounded Chan<T>; integrator monitors drop_count metric",
"status": "Closed"
},
{
"id": "FMEA-08",
"item": "safety::Protector::protect()",
"module": "M-03 Safety",
"req_refs": ["REQ-SAFETY-001", "REQ-SAFETY-002", "REQ-SAFETY-003", "REQ-SAFETY-004", "REQ-SAFETY-005", "REQ-SAFETY-006"],
"failure_mode": "CRC computed over wrong bytes (e.g., CRC slot not zeroed before CRC computation)",
"failure_effect_local": "CRC in header does not match Receiver's recomputation",
"failure_effect_system": "All frames rejected by Receiver; system enters safe state unnecessarily",
"hazard_ref": "H-04",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Known-vector test (CRC-16/CCITT-FALSE = 0x29B1 for '123456789'); round-trip test REQ-SAFETY-011",
"status": "Closed"
},
{
"id": "FMEA-09",
"item": "safety::Receiver::unwrap() — sequence check",
"module": "M-03 Safety",
"req_refs": ["REQ-SAFETY-009", "REQ-SAFETY-013"],
"failure_mode": "Gap detection logic fails: replayed frame accepted with old counter",
"failure_effect_local": "Stale or replayed payload passed to application",
"failure_effect_system": "Actuator receives outdated command; potential hazardous output",
"hazard_ref": "H-04",
"severity": "S3",
"occurrence": "O1",
"detection": "D1",
"rpn": 3,
"mitigation": "Sequence gap unit test; first-message seeding test REQ-SAFETY-013; concurrent protect test REQ-SAFETY-014",
"status": "Closed"
},
{
"id": "FMEA-10",
"item": "master::Node::run()",
"module": "M-04 Master",
"req_refs": ["REQ-MASTER-003", "REQ-MASTER-004", "REQ-MASTER-005"],
"failure_mode": "Schedule processed out-of-order or slot skipped",
"failure_effect_local": "Wrong frame ID polled; slave not sampled in correct slot",
"failure_effect_system": "Sensor data acquired at wrong time; safety analysis invalid",
"hazard_ref": "H-01",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "In-order iteration test REQ-MASTER-003; slot call count test REQ-MASTER-004",
"status": "Closed"
},
{
"id": "FMEA-11",
"item": "master::Node::run() — stop signal",
"module": "M-04 Master",
"req_refs": ["REQ-MASTER-008"],
"failure_mode": "run() ignores stop flag; thread cannot be joined",
"failure_effect_local": "Master thread continues running after shutdown request",
"failure_effect_system": "Use-after-free if bus destroyed first; undefined behaviour",
"hazard_ref": "H-05",
"severity": "S3",
"occurrence": "O1",
"detection": "D1",
"rpn": 3,
"mitigation": "Cancellation test REQ-MASTER-008; ASan validates no UAF after thread join",
"status": "Closed"
},
{
"id": "FMEA-12",
"item": "ldf::parse()",
"module": "M-06 LDF",
"req_refs": ["REQ-LDF-014"],
"failure_mode": "Panic / crash on malformed or adversarial LDF input",
"failure_effect_local": "Process crash during LDF loading phase",
"failure_effect_system": "LIN system fails to initialize; startup denial of service",
"hazard_ref": "H-05",
"severity": "S2",
"occurrence": "O2",
"detection": "D1",
"rpn": 4,
"mitigation": "Fuzz-target test REQ-LDF-014; exception caught, returns partial DB + error",
"status": "Closed"
},
{
"id": "FMEA-13",
"item": "LinAdapter::send()",
"module": "M-07 RELAY Adapter",
"req_refs": ["REQ-ADAPT-003"],
"failure_mode": "Out-of-range ID (>63) silently truncated to valid range and published",
"failure_effect_local": "Wrong frame ID published; wrong slave responds",
"failure_effect_system": "Wrong actuator targeted; potential safety miscommand",
"hazard_ref": "H-02",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Explicit range check before publish; reject test msg.id='64' REQ-ADAPT-003",
"status": "Closed"
},
{
"id": "FMEA-14",
"item": "Chan<T>::recv() after close()",
"module": "M-09 Channel",
"req_refs": ["REQ-VIRT-015", "REQ-VIRT-016"],
"failure_mode": "recv() blocks indefinitely after bus close; subscriber thread never exits",
"failure_effect_local": "Thread leak; resource exhaustion",
"failure_effect_system": "Cannot shut down LIN system cleanly; heap / handle leak",
"hazard_ref": "H-05",
"severity": "S2",
"occurrence": "O1",
"detection": "D1",
"rpn": 2,
"mitigation": "Close signals all waiting recv() to return nullopt; lifecycle test REQ-VIRT-015",
"status": "Closed"
}
],
"severity_scale": {
"S1": "No safety impact",
"S2": "Safety degradation — system enters safe state",
"S3": "Potential hazardous output without safe state"
},
"occurrence_scale": {
"O1": "Improbable — no known instance in test / field",
"O2": "Remote — possible under specific conditions",
"O3": "Occasional — multiple occurrences possible"
},
"detection_scale": {
"D1": "Unit test / CI catches before integration",
"D2": "Integration test or runtime monitor catches",
"D3": "Field detection only"
}
}