.. _fsd011:

FSD011: Hazard and risk analysis
#################################

.. header
.. list-table:: Header
   :header-rows: 0

   * - Title
     - FSD011: Hazard and risk analysis
   * - Current version
     - V1
   * - Products
     - Safety Simplifier
   * - Requirements
     - 61508-1 clause 7.4 (hazard and risk analysis)
   * - Purpose
     - determine hazards, hazardous events and hazardous situations
   * - Input
     - FSD010: Concept and overall scope definition
   * - Output
     - FSD011: Hazard and risk analysis


Table of contents
***********************

.. contents::

Description
***********

This document describes the hazards and risks associated with the Safety Simplifier, from the scope defined in :ref:`fsd010`.

Particular attention is given to abnormal and infrequent modes of operation, such as:

* configuration
* fatal error/safe state
* startup

Hazardous events and hazardous situations
*****************************************

The following hazardous events and hazardous situations have been determined:

.. needtable::
   :columns: id, title, status, derived
   :tags: hazard

.. hazard:: Internal hardware failure
   :id: HAZARD_01
   :tags: hazard
   :derived: SREQ_N_01

   An internal hardware failure in the Safety Simplifier can lead to inputs being read incorrectly, outputs being incorrectly active, or logic executing incorrectly.
   Faulty components, random component failure or wear, and environmental factors can all contribute to internal hardware failures.

.. hazard:: External hardware failure
   :id: HAZARD_02
   :tags: hazard
   :derived: SREQ_N_02

   Inputs short circuited to high logic levels leading to incorrectly identifying an input as high even though it is not.
   Outputs short circuited to high logic levels leading to outputs being active even though they should not be.

   In contrast to :need:`HAZARD_01`, logic is not affected by external hardware failures.

.. hazard:: Active or sporadically active outputs during system configuration
   :id: HAZARD_03
   :tags: hazard
   :derived: SREQ_N_03

   While a user is configuring a unit, outputs could be active or sporadically active, which could result in unsafe function.

.. hazard:: Active or sporadically active outputs in other Safety Simplifiers during system configuration
   :id: HAZARD_04
   :tags: hazard
   :derived: SREQ_N_04

   While a user is configuring a unit, outputs in other Safety Simplifiers could be active or sporadically active, which could result in unsafe function.

.. hazard:: Active or sporadically active outputs after detecting a fault
   :id: HAZARD_5
   :tags: hazard
   :derived: SREQ_N_05

   After dectecting a dangerous fault and entering safe state, outputs could be active or sporadically active.

.. hazard:: Active or sporadically active outputs in other Safety Simplifiers after detecting a fault
   :id: HAZARD_6
   :tags: hazard
   :derived: SREQ_N_06

   After dectecting a dangerous fault and entering safe state, outputs in other Safety Simplifiers could be active or sporadically active.

.. hazard:: Human error during configuration
   :id: HAZARD_7
   :tags: hazard
   :derived: SREQ_N_07A, SREQ_N_07B

   A mistake during configuration could lead to wrong units being paired, or units not being paired at all, while the user expected them to be paired.

   This is particularly relevant for configuration interfaces where the user is not directly connected to the unit, such as the radio and CAN interfaces.

.. hazard:: During service, replacement of a unit results in wrong configuration or pairing
   :id: HAZARD_08
   :tags: hazard
   :derived: SREQ_N_07A, SREQ_N_07B

   A mistake during servicing could lead to wrong units being paired or units not being paired at all, while the user expected them to be paired.

.. hazard:: Communication errors for all communication interfaces, as defined in 61784-3
   :id: HAZARD_09
   :tags: hazard
   :derived: SREQ_N_09A, SREQ_N_09B, SREQ_N_09C, SREQ_N_09D

   Errors in communication can lead to undefined function.

   The following communication interfaces have to handle this:

   * Radio
   * CAN
   * General black channel interface
   * CPU-to-CPU communication

.. hazard:: Power supply failures
   :id: HAZARD_10
   :tags: hazard
   :derived: SREQ_N_10

   No voltage, low voltage, high voltage, and unstable voltage can lead to undefined function.

.. hazard:: Downloading of configuration to wrong destination nodes
   :id: HAZARD_11
   :tags: hazard
   :derived: SREQ_N_07A, SREQ_N_07B, SREQ_N_07D

   As a result of a user error or software error, a configuration can be downloaded to the wrong destination node.

.. hazard:: Failure to download
   :id: HAZARD_12
   :tags: hazard
   :derived: SREQ_N_07A, SREQ_N_07B

   Due to an interruption during configuring a unit, the configuration was not completely downloaded, but the user believed it was.

.. hazard:: Corrupted configuration
   :id: HAZARD_13
   :tags: hazard
   :derived: SREQ_N_07A, SREQ_N_07B, SREQ_N_07C

   An interruption during download or a software error can lead to a corrupted configuration, which can lead to undefined function.

.. hazard:: Too wide fault handling, false positives, and unreliable operation
   :id: HAZARD_14
   :tags: hazard
   :derived: SREQ_N_14A, SREQ_N_14B, SREQ_N_14C

   If a user experiences too many false positives or faults that are unclear, they may start to circumvent safety functions.

.. hazard:: Inaccurate time measurment in logic
   :id: HAZARD_15
   :tags: hazard
   :derived: SREQ_N_15A, SREQ_N_15B

   Software or hardware errors that cause time measurments to be incorrect may lead to errors in safety functions that rely on correct time and delays.

.. hazard:: Nodes being part of multiple networks, or networks including nodes that should not be part of the network
   :id: HAZARD_16
   :tags: hazard
   :derived: SREQ_N_16A, SREQ_N_16B

   Nodes in a network listening to messages that are not intended for them can lead to undefined function.

.. hazard:: Unauthorized access (malicious and unintentional)
   :id: HAZARD_17
   :tags: hazard
   :derived: SREQ_N_17

   An Unauthorized user could, maliciously or unintentionally, remotely via radio or with physical access, reconfigure a system.

.. hazard:: Environmental factors
   :id: HAZARD_18
   :tags: hazard
   :derived: SREQ_N_18

   Using the device outside its specified environmental conditions can lead to undefined function.

.. hazard:: Restart can cause undefined function
   :id: HAZARD_19
   :tags: hazard
   :derived: SREQ_N_19

   A restart (power cycle, software reset or other) can lead to undefined function.

.. hazard:: User interface controlling outputs
   :id: HAZARD_20
   :tags: hazard
   :derived: SREQ_02

   A user interface (display, push buttons, USB, or other) could accidentally control outputs high.

.. hazard:: Nonsafe code/hardware affecting safety function
   :id: HAZARD_21
   :tags: hazard
   :derived: SREQ_30A

   Nonsafe hardware or software could affect the safety function in an unintended way, 
   leading to undefined function.

Revision History
****************

.. list-table::
   :header-rows: 1

   * - Date
     - By
     - Version
     - Description

   * - 2024-12-02
     - William
     - V1
     - Initial version

   * - 2025-01-30
     - William
     - V2
     - Added HAZARD_20. Mapped hazards to requirements in FSD114.