FMEA
The FMEA is done on the “first zoom level” of the architecture, the main workflow.
The relevant elements are annotated by oval labels, see also the diagram legend.
Fault Model
The following analysis is based on this generic fault model for activity diagrams:
Element Type |
Error ID |
Generic Error Description |
|---|---|---|
Data storage |
DS1 |
Stored data changed before read operation |
DS2 |
New data not stored / keeps old data / stuck at specific value |
|
Data flow |
DF1 |
Transferred data changed |
DF2 |
Transferred data lost |
|
DF3 |
Data stored at / read from wrong location in data store |
|
DF4 |
Data transferred to wrong data store |
|
Processing |
PR1 |
Calculates wrong results |
PR2 |
Processing is skipped |
|
PR3 |
Processing too slow/fast |
|
Control flow |
CF1 |
Control flow stops |
CF2 |
Control flow proceeds to wrong process |
If more than one error is identified for the same element with the same error ID, a counter is added, e.g. PR1.1, PR1.2, etc.
In the following sections, references to files are shown which end with _spec.rb. These files
are test files which can be found in the spec folder of the dox_trace extension, e.g.
<dox_trace root>/spec/asil_spec.rb.
Generalized Errors
The following errors are analyzed generically and not on architectural element level.
Error ID |
General Error Description |
Measures |
|---|---|---|
DF1, DF2, DF3 |
Data is corrupted or lost during file access or wrong files are accessed. |
This tool runs without network access or memory queues. It is assumed that underlying layers like Python or the OS are qualified. Potential issues with data are analyzed in “Data storage” and “Processing” elements. |
DF4 |
Every data store type exists only once in the system, e.g. RST files cannot be stored in Exit code. |
Trying to do something like this will lead to a program exception. dox_trace will terminate with an exit code != 0. |
PR3 |
dox_trace has no timing constraints. But a too slow execution might frustrate the user, so that the user removes the mandatory check on the code review tool. |
It’s mentioned in the Integration Guide of dox_trace that the verifier from the code review tool is mandatory and must not be removed or skipped. |
CF1 |
A complete stop of the control flow is usually no problem for a tool which runs offline and not on the target hardware. dox_trace is used for verifying changes on a code review tool. A stopped or terminated Sphinx build due to timeout must not lead to a merged commit. |
It’s mentioned in the Integration Guide of dox_trace that the verifier from the code review tool must exit successfully, otherwise the commit must be rejected. |
CF2 |
This is a very generic problem and can lead to random errors. |
The likelihood is reduced to a minimum by intensive unit tests. To ensure that enough unit tests are written, the code coverage is 100%. |
Main Workflow
This analysis is done on the Fig. 7 with the Use Cases in mind.
Element ID |
Error ID |
Specific Error Description |
Measures |
References |
|---|---|---|---|---|
p1 |
PR1.1 |
Cache is not prepared properly which could lead to undefined behaviour. |
|
|
PR1.2 |
The version is not determined correctly which may lead in using incompatible cache data. |
This is only relevant if the extension is updated.
|
||
PR2 |
Callbacks or directives are not registered which means the extension is not active. |
When trying to parse specifications, Sphinx will raise an exception due to unknown directives and terminate with exit code != 0. |
|
|
p2 |
PR1.1 |
Files are loaded incorrectly or not loaded completely. |
|
|
PR1.2 |
Wrong files are loaded. |
|
||
PR2 |
If loading is skipped, no specifications are available for subsequent steps. |
This is recognized by the user or latest by the reviewer in the code review tool because the HTML output and the Dim export will be empty. |
||
p3 |
PR1 |
Consistency checks are passed even with inconsistent data. |
|
|
PR2 |
Consistency checks are not executed. |
see p3/PR1 |
n/a |
|
p4 |
PR1 |
HTML output is wrong. |
|
|
PR2 |
HTML output is missing or stored at wrong location. |
|
|
|
p5 |
PR1 |
Dim export is wrong. |
|
|
PR2 |
Dim export is missing or stored at wrong location. |
|
|
|
p6 |
PR1 |
The exit code is set to a value != 0 instead of 0. |
|
|
PR2 |
The exit code is not set explicitly which means it can be != 0 instead of 0. |
see p6/PR1 |
n/a |
|
p7 |
PR1 |
The exit code is set to 0 instead of != 0. |
Tested by unit tests. |
In almost every unit test the exit code is checked. |
PR2 |
The exit code is not set explicitly which means it can be 0 instead of != 0. |
see p7/PR1 |
n/a |
|
s1, s8 |
DS1.1 |
Wrong specification data is loaded. |
|
|
DS1.2 |
Files do not exist in the file system. |
If files do not exist, Sphinx will terminate with an exit code != 0. |
||
DS2 |
n/a, only read access |
n/a |
n/a |
|
s2 |
DS1 |
The cache is corrupted. |
|
|
DS2 |
The cache is not updated. |
|
||
s3 |
DS1 |
n/a, only write access |
n/a |
n/a |
DS2 |
Existing HTML files are not updated. |
see p4/PR2 |
n/a |
|
s4 |
DS1.1 |
Dim export is missing or stored at wrong location. |
see p5/PR1 and p5/PR2 |
n/a |
DS1.2 |
Properties file is not loaded. |
Fallback values of all attributes are either empty or not_set, which means this is identified by manual review or automatic checks. |
||
DS1.3 |
Other configuration parameters e.g. regarding backward compatibility are not as intended. |
|
||
DS2 |
n/a, only read access |
n/a |
n/a |
|
s5 |
DS1 |
n/a, only write access |
n/a |
n/a |
DS2 |
Existing Dim files are not updated correctly. |
see p5/PR1 and p5/PR2 |
n/a |
|
s6 |
DS1 |
n/a, only write access |
n/a |
n/a |
DS2 |
Wrong exit code is used. |
see p6/PR2 and p7/PR2 |
n/a |
|
s7 |
DS1 |
n/a, only write access |
n/a |
n/a |
DS2 |
Error messages are wrong or not visible on the console. |
|
|
|