From 02473bcb7e7a111998f087d04dc91e23c25ee1ef Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 1 May 2026 20:32:32 +0000 Subject: [PATCH] fix(stpa): correct TCL numbering to ISO 26262-8 (TCL1) with DO-330 cross-walk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Tool Confidence Level" header in safety/stpa/tool-qualification.yaml read "TCL 1 (highest)" — which mixed two opposite conventions: ISO 26262-8 §11.4.7 numbers TCL inversely to DO-330 (26262 TCL1 is the *lowest* confidence demand; DO-330 TQL-1 is the *highest* rigor). The legacy wording was self-contradictory in our own dogfood — flagged by the qualification-dossier triage on issue #254 (Workstream A, A1). Replace the header with: * "TCL1 (ISO 26262-8 §11.4.7)" — 26262 numbering, no parenthetical that contradicts the standard. * Brief explanation that oracle-gated validation raises TD enough to keep the TI×TD matrix at TCL1, with the safety risk still framed explicitly (a false PASS can prevent detection of a safety-critical gap). * Cross-walk paragraph documenting the inverse numbering between 26262 (TCL1 lowest, TCL3 highest) and DO-330 (TQL-1 highest, TQL-5 lowest) so future readers don't repeat the same mix-up. Comment-only change. No schema, no validation logic, no rust source touched. `rivet validate` error set is byte-identical to the pristine- main baseline (the 6 pre-existing errors live in the spar external fixture and are unaffected). Workstream A2-A5 (typed `tool-confidence` artifact, `ai-found-defect` type, dossier doc, `--qualification-mode` flag) remain — this PR is the A1 slice only and intentionally does not close #254. Implements: REQ-002 Refs: #254 🤖 Generated with [Claude Code](https://claude.com/claude-code) — issue-triage agent run 2026-05-01. --- safety/stpa/tool-qualification.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/safety/stpa/tool-qualification.yaml b/safety/stpa/tool-qualification.yaml index d35731ca..09aa73ae 100644 --- a/safety/stpa/tool-qualification.yaml +++ b/safety/stpa/tool-qualification.yaml @@ -11,9 +11,18 @@ # s-expression evaluator, variant/PLE system, Zola export, needs-json # import, MCP write tools, and git hook integration. # -# Tool Confidence Level (TCL): TCL 1 (highest) — rivet's output is -# directly used as compliance evidence. A false PASS from rivet can -# prevent detection of a safety-critical gap. +# Tool Confidence Level (TCL): TCL1 (ISO 26262-8 §11.4.7) — rivet's +# output is directly used as compliance evidence, but oracle-gated +# validation raises Tool error Detection (TD) enough that the TI×TD +# matrix lands at TCL1. A false PASS from rivet can prevent detection +# of a safety-critical gap; the TI/TD analysis under Workstream A of +# the tool-qualification dossier qualifies that claim. +# +# Cross-walk: ISO 26262 numbers TCL inversely to DO-330. 26262 TCL1 +# is the *lowest* confidence demand (TCL3 highest); DO-330 TQL-1 is +# the *highest* rigor (TQL-5 lowest). The legacy "TCL 1 (highest)" +# wording in this file mixed the two conventions; this file now +# follows ISO 26262 numbering. # # Reference: STPA Handbook §2.3, ISO 26262-8 §11.4.7 # =============================================================================