Legal information

Copyright DB Netz AG, licensed under CC-BY SA 3.0 DE (see full text in CC-BY-SA-3.0-DE)

ARCH.904 Incorporate risk control measures in the operational needs

RCAMT-616 - Update of Input/Output for some ARCH process steps and improve understanding of incorporate risk control measures Finished

Goal

Define how an operational capability will be fulfilled via implementation of identified risks to an acceptable level.

Requirements met by this process step

ISO 15288 6.3.4 d) 2

ISO 15288 6.4.1.3 b 2)

CSM-SMS guidance 1.1a)

EN 50126-1 7.2.2 a)

Inputs

AMOD-028 Operational activities and interaction definitions (single operational capability)

AMOD-027 Operational bare business scenario

AMOD-137 Single operational capability context

AMOD-021 Operational capabilities definition

AMOD-023 Operational entity/actor states

AMOD-022 Enterprise & environment definition

AMOD-110 Operational exchange items [O.CDB]

AMOD-105 Operational data objects [O.CDB]

(reference only):

AMOD-107 Safety hazard, security issue, business risk log

Method for definition of scenarios

Outputs

AMOD-033 Operational business scenario with risk control measures

AMOD-035 Operational business process with risk control measures

AMOD-028 Operational activities and interaction definitions (single operational capability) (updated)

AMOD-110 Operational exchange items [O.CDB] (updated)

AMOD-105 Operational data objects [O.CDB] (updated)

AMOD-023 Operational entity/actor states (updated)

AMOD-137 Single operational capability context (updated)

AMOD-021 Operational capabilities definition (updated)

Methodology

Content

1. Update operational activities and interactions

This task updates AMOD-028 by implementing risk mitigations as follows: 

For every entry in the risk logs,

where the risk mitigation specifies a new operational activity,

create a new operational activity;

create appropriate interactions between the new operational activity and existing activities;

where the risk mitigation specifies a non-functional requirement against an operational activity on the current diagram

create a new non-functional requirement with content matching the risk mitigation;

link the non-functional requirement to the activity specified in the risk mitigation.

2. Create operational scenario with risk control measures

This task creates AMOD-033 by implementing risk mitigations as follows:

Begin by setting out the interactions of the scenario for the bare business scenario.
Then introduce any new interactions identified through the risk assessment, at the correct point in the scenario.

Ensure that all the non-success paths identified in the deviation analysis are now represented on the scenario.

See the chapter "Specific guidance for scenarios applicable at the operational analysis" in Method for definition of scenarios for more guidance.

3. Create operational process with risk control measures

This task creates AMOD-035 by implementing risk mitigations as follows:

Begin by setting out the activities and interactions of the bare business process, without linking them together with sequences. Then introduce any new activities and interactions identified through the risk assessment.

Ensure that all non-success paths identified during the deviation analysis are now represented on the diagram. When all activities are placed sensibly in order, complete the sequence links.

4. Update operational data

This task updates AMOD-110 and AMOD-105 by implementing risk mitigations as follows:

For every entry in the risk logs,

where the risk mitigation specifies the need for additional operational data

create new elements (exchange items, data object as necessary)

allocate new elements to appropriate interactions between operational activities

where the risk mitigation specifies a constraint on operational data

update the exchange items, data objects as necessary

review allocation of updated elements to ensure that elements allocating elements is still supported.

examples are among others constraints on data separation, redundancy.

5. Update operational states

This task updates AMOD-023 by implementing risk mitigations as follows:

During risk assessment for an operational scenario, new states may be identified for operational entities or actors, that were not known before.

Either update existing instances of view AMOD-023 or, where no statefulness was previously identified for an operational actor/entity, create a new one.

This activity should be done in parallel with the initial analysis of an operational capability.

6. Update operational activity to state mapping

This task updates the activity to state mapping, if an activity is active in a specific state.

7. Update dependencies and pre/post conditions

This task updates AMOD-137 and AMOD-021 by implementing risk mitigations as follows:

After risk control measures have been elaborated there is a clear vision about the boundary of the operational capability of interest.

The AMOD-137 can then be updated in terms of dependencies along with the pre and post condition. This time, it is necessary to align with the owner of the other operational capabilities connected to the operational capability of interest. E.g. with states of entities/actors AND/OR abstract concepts or exchange items to be evaluated.

The end result should be that the operational capabilities start conditions correspond to the end conditions of other operational capabilities (and vice versa). Overlaps should be avoided. Gaps should be checked to ensure that nothing important has been missed.

Depending of the number of dependencies, this process step can require a lot of time to align with the other operational capabilities.

Tools and non-human resourcesTeam for Capella
CardinalityOnce per operational capability
Completion criteria
  • The output view conforms to its modelling rules.
  • All relevant risk mitigations have now been incorporated in the scenario and process as described in the output view.
  • All relevant mitigations from all risk logs have been captured in the output view.
  • Statefulness that was identified during the analysis of the operational capability has been captured in the model OR No further statefulness was identified during the analysis of this operational capability.
  • For all the involved entities for this capability, the operational activities associated with each state have been correctly assigned.
Design review

ARCH.R.1 Operational capability review

ARCH.R.2 Operational review - consolidated

Step done by (Responsible)Operational concept architect
Provides input to/assists (Contributes)

System architect

Systems engineer

Cross-cutting engineer

Uses outputs (Informed)RAMS manager (potentially)