Audit preparation: Safety Management

[aschemmel-tech]

"not started" topics:

• Competence Management: resolve Deviation_18, show how is "sufficient level of skills" checked, see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-organization - example committer election: https://projects.eclipse.org/projects/automotive.score/elections/election-volker-haussler-eclipse-safe-open-vehicle-core, safety manager assignment: https://eclipse-score.github.io/score/main/platform_management_plan/role_assignment/platform_safety_manager.html (same for safety engineer) and CODEOWNERS https://eclipse-score.github.io/score/main/modules/communication/docs/safety_mgt/module_codeowners.html
• Impact analysis at the item level: tailor the item level, only do element level, - see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#tailoring (last bullet point)
• Reuse of an existing element: link to respective ISO 26262 req/wp, resolve Deviation_17 and align with Change Mgt responsible about Impact Analysis, part of Change Mgt Audit resolution), triggered by change request: https://github.com/eclipse-score/score/issues "New Issue", "Change Request", "Impact Analysis" - leads to https://eclipse-score.github.io/process_description/main/process_areas/change_management/guidance/change_management_impact_analysis_template.html
• Planning and coordination of the safety activities: Audit needs to be redone for SM, based on Exida excel list, see process https://eclipse-score.github.io/process_description/main/process_areas/safety_management/index.html example https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html (including links to feature WPs lists, these show the plan by adding all WPs from a template and the status is in the documentation mgt).
• Progression of the safety lifecycle: Config, Change, Doc Mgt are established, lifecycle is documented in https://eclipse-score.github.io/process_description//main/general_concepts/score_lifecycle_concept.html
• Safety case: Audit needs to be redone for SM, based on Exida excel list, see process-template https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_plan.html#doc__module_name_safety_plan and example https://eclipse-score.github.io/score/main/modules/baselibs/docs/safety_mgt/module_safety_plan.html (all WPs links and in status valid in docs or in doc mgt lists).
• Confirmation measures/reviews: present in next Audit, add Safety Analyisis to Safety Plan and define ConfReview in Safety Analysis, planned to do similar thing: "Formal Document Review" as we also not "confirm" the safety case but only produce a safety package, see https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_plan_fdr.html, https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_package_fdr.html, https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/guidance/safety_analysis_checklist.html

Actions and Deviations:

• Action_17: Cybersecurity is not yet addressed. The topic needs to be re-addressed. - see in safety mgt plan https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#cybersecurity-interface incl. link to security mgt plan, process descriptions https://eclipse-score.github.io/process_description/main/process_areas/security_management/index.html, https://eclipse-score.github.io/process_description/main/process_areas/security_analysis/index.html and setup of security meeting series
• Action_19: The activities / arguments when a Safety Anomaly can be considered as managed are missing. It might be that the future Problem Resolution Process covers the requirements of a Safety Anomaly process - description generally is in https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_safety_management.html "Safety anomalies" and in detail in https://eclipse-score.github.io/process_description/main/process_areas/problem_resolution/guidance/problem_resolution_guideline.html#initiate-and-monitor-problem-resolution
• Action_20: It need to be clarified which part of ISO 26262-4 §7 are judged to be applicable. (The related ISO Requirements need then to be added to the audit checklist below.) - tailored completely, commented in https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#tailoring
• Deviation_4: For safety classified issues (problems), it is not defined how affected versions/ released products are identified and potential product recalls are identified. It is imperative to identify the exact moment when the problem occurs. The process of notification of all users needs to be described. The responsibility of the user of the product shall be clarified: the user is responsible for checking for known safety issues (this requires a process of publishing known safety issues (with version information). - this is covered by Problem Management Process, see the template https://eclipse-score.github.io/process_description/main/process_areas/problem_resolution/guidance/problem_resolution_template.html including "Problem Category" and "Problem affected version" (example: Bug: Example Problem Report - Feature Request missing safety/security attribute #124) and github: click on "New Issue"); all Bug reports are visible openly for platform and every module (e.g. https://github.com/eclipse-score/score/issues?q=is%3Aissue%20state%3Aopen%20label%3Abug); System Integrator has an AoU to observe safety anomalies: https://eclipse-score.github.io/score/main/requirements/platform_assumptions/index.html#aou_req__platform__integration_safety_anomaly
• Deviation_5: The Safety Manager shall be able to bypass the Technical Lead for escalation of safety anomalies, see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-communication
• Deviation_7: The escalation for the Safety Responsible shall not be the Technical Lead (project management) (but to the Project Lead, as the project lead is the ultimate decision point), see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-communication
• Deviation_8: There is no role defined, which covers the Software Safety Analysis. The committer is intended to cover the Software Safety Analysis, but this is not part of the role description yet. - new role, see https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/safety_analysis_roles.html#rl__safety_engineer
• Deviation_9: The statement “There will be HW / SW integration tests of feature requirements, as required by ISO 26262 part 6.” is wrong. The PMP needs to be changed as there are no such requirements in part 6. HW/ SW integration is covered by part 4. - see https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_safety_management.html "Planning integration and verification" and https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#tailoring "There will be SW integration tests of feature requirements, as required by ISO 26262 part 6-10."

Component qualification:

• Action_5: it needs to be checked if the classification is ISO PAS 8926 compliant. - see https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_component_classification.html
• Action_6: A qualification process based on the software component’s classification is not yet described. - see module safety plan, now also referenced in the safety management guideline - start from https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_safety_management.html "(OSS) Component qualification planning"
• Action_7: The related page for the classification of software components cannot be found on the Eclipse web site. The topic needs to be re-addressed. - see https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/component_name/docs/component_classification.html
• "not started": Verification of qualification of a software component: present in next Audit incl. example, https://eclipse-score.github.io/process_description/main/process_areas/verification/verification_workproducts.html#wp__verification_module_ver_report - TSF: Planned in https://eclipse-score.github.io/score/main/modules/baselibs/docs/safety_mgt/module_safety_plan.html#component-json-work-products-list - links to https://eclipse-score.github.io/inc_nlohmann_json/main/generated/trustable_report_for_Software.html (has process and explanations https://eclipse-score.github.io/inc_nlohmann_json/main/introduction/index.html), but is work in progress.

Distributed Devlopment (not started):

• Supplier selection criteria - is tailored out, see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#tailoring
• Initiation and planning of distributed development - same
• Execution of distributed development - same

[kroehnd]

Github Comment for #78

• Competence Management: resolve Deviation_18, show how is "sufficient level of skills" checked, see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-organization - example committer election(s): https://projects.eclipse.org/projects/automotive.score/elections/election-martin-wagner-eclipse-safe-open-vehicle-core https://projects.eclipse.org/projects/automotive.score/elections/election-volker-haussler-eclipse-safe-open-vehicle-core

Mentioned in the roles/index.rst at the safety manager that he is elected by a committee

• Impact analysis at the item level: tailor the item level, only do element level,

Created additional workflow in safety_managemnt_workflow.rst > Impact Analysis of Change Request

• Reuse of an existing element: link to respective ISO 26262 req/wp, resolve Deviation_17 and align with Change Mgt responsible about Impact Analysis, see https://eclipse-score.github.io/process_description/main/process_areas/change_management/guidance/change_management_impact_analysis_template.html

Added a small remark regarding anomalies

• Planning and coordination of the safety activities: Audit needs to be redone for SM, based on Exida excel list, see https://eclipse-score.github.io/process_description/main/process_areas/safety_management/index.html

Double checked the Audit report. Planning done within Safety Plan

• Progression of the safety lifecycle: need to discuss evidence with M. Schu

Mentioned in PMP, but as it is mostly tailored away and we only have a subsection, no further mention

• Safety case: Audit needs to be redone for SM, based on Exida excel list, see https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_plan.html#doc__module_name_safety_plan

Added safety case

• Confirmation measures/reviews: present in next Audit, add Safety Analyisis to Safety Plan and define ConfReview in Safety Analysis, see https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_plan_fdr.html, https://eclipse-score.github.io/process_description/main/folder_templates/modules/module_name/docs/safety_mgt/module_safety_package_fdr.html, https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/guidance/safety_analysis_checklist.html

Mentioned on various points, open for improvement suggestions

Actions and Deviations:

• Action_17: Cybersecurity is not yet addressed. The topic needs to be re-addressed. - see Improvement: Document (Cyber)-Security process score#709

Cybersecurity process available, mention in Safety Management Process

• Action_19: The activities / arguments when a Safety Anomaly can be considered as managed are missing. It might be that the future Problem Resolution Process covers the requirements of a Safety Anomaly process

In Change management process on bug ticket there exists a safety option

• Action_20: It need to be clarified which part of ISO 26262-4 §7 are judged to be applicable. (The related ISO Requirements need then to be added to the audit checklist below.) - tailored completely, commented in create safety management process description score#329 - https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html (Tailoring)

Already checked

• Deviation_4: For safety classified issues (problems), it is not defined how affected versions/ released products are identified and potential product recalls are identified. It is imperative to identify the exact moment when the problem occurs. The process of notification of all users needs to be described. The responsibility of the user of the product shall be clarified: the user is responsible for checking for known safety issues (this requires a process of publishing known safety issues (with version information).

Already addressed in Problem Resoultion / Change Managemnet

• Deviation_5: The Safety Manager shall be able to bypass the Technical Lead for escalation of safety anomalies, see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-communication

Fixed in PMP, removed TL as escalation ladder, now only project lead

• Deviation_7: The escalation for the Safety Responsible shall not be the Technical Lead (project management) (but to the Project Lead, as the project lead is the ultimate decision point), see https://eclipse-score.github.io/score/main/platform_management_plan/safety_management.html#functional-safety-management-communication

Fixed in PMP, removed TL as escalation ladder, now only project lead

• Deviation_8: There is no role defined, which covers the Software Safety Analysis. The committer is intended to cover the Software Safety Analysis, but this is not part of the role description yet. - see https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/safety_analysis_roles.html#rl__safety_engineer

Already checked

• Deviation_9: The statement “There will be HW / SW integration tests of feature requirements, as required by ISO 26262 part 6.” is wrong. The PMP needs to be changed as there are no such requirements in part 6. HW/ SW integration is covered by part 4.

Reworded section

Component qualification:

• Action_5: it needs to be checked if the classification is ISO PAS 8926 compliant. - see https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_component_classification.html

Already checked

• Action_6: A qualification process based on the software component’s classification is not yet described. - see module safety plan, now also referenced in the safety management guideline - start from https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_safety_management.html

Already checked

• Action_7: The related page for the classification of software components cannot be found on the Eclipse web site. The topic needs to be re-addressed. - see https://eclipse-score.github.io/process_description/main/process_areas/safety_management/guidance/guideline_component_classification.html

Already checked

• "not started": Verification of qualification of a software component: present in next Audit incl. example, https://eclipse-score.github.io/process_description/main/process_areas/verification/workproducts.html#wp__verification__module_ver_report

Unclear, what is expected

[aschemmel-tech]

no need for the comment above to show what you have done/changed (like a change history). There is a "edits" button in the description where you can see this.