foxBMS POSIX vECU — 10-Role Audit Report v2
Date: 2026-03-21
Scope: Full project re-audit after documentation overhaul, ASPICE CL2 package, traceability automation, CI pipeline, and HITL locks.
Delta from v1: v1 had 1 CRITICAL + 9 HIGH. This audit re-evaluates all findings.
Project metrics at time of audit:
- 203 project files (excl. foxbms-2 submodule)
- 73 documentation files (29 ASPICE CL2, 24 upstream reference, 20 project/business/test/archive)
- 308 traced requirement IDs, 0 broken links, 24 orphans, 15 untested leaves
- 37 HITL locks across 10 files protecting safety-critical content
- 4 test suites: 147+ criteria (smoke, integration, ASIL, SIL probes)
- CI pipeline: 3 jobs (smoke test, traceability check, full test suite)
- Phase 1-2.5 COMPLETE (94/112 criteria), Phase 3-4 NOT STARTED
Auditor 1: SIL System Architect
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A1-01: No fidelity boundary document |
HIGH |
FIXED — docs/aspice-cl2/18-safety/part5-hardware/ISO26262-part5-hardware-software-interface.md maps every hardware dependency to its POSIX stub. Explicitly states what transfers (state machine logic, CAN content) and what doesn't (CAN timing, task scheduling, hardware register access). |
| A1-02: Cooperative loop masks concurrency bugs |
MEDIUM |
DOCUMENTED — SWE.2 software architecture explicitly calls out single-threaded limitation. COVERAGE.md lists it as architectural gap. HITL-locked in gap-analysis.md (GA-02). |
| A1-03: No back-to-back comparison with production |
MEDIUM |
REMAINS — still no production TMS570 comparison data. Mitigated by HSI document listing all differences. |
| A1-04: SIL probes add non-production code |
LOW |
REMAINS — #ifdef FOXBMS_SIL_PROBES blocks still in main.c. Acceptable for SIL. |
New Findings
| ID |
Severity |
Finding |
| A1-05 |
LOW |
SWE.2 architecture document describes module dependencies but no formal interface control document (ICD) with function signatures and data types. For CL2 this is acceptable; CL3 would require it. |
Verdict: PASS (was: PASS with conditions). Fidelity boundary document now exists.
Auditor 2: HIL Test Engineer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A2-01: No SIL-to-bench test mapping |
HIGH |
PARTIAL — SWE.5 integration test spec and SWE.6 qualification test spec exist with test case IDs. Still no explicit "SIL test X replaces bench test Y" document. |
| A2-02: Phase 3 fault injection 0/11 |
HIGH |
REMAINS — Phase 3 still 0/11. This is the core value proposition gap. |
| A2-03: No DBC for SIL probe messages |
MEDIUM |
REMAINS — SIL probes documented in sil_layer.h but no machine-readable DBC. |
| A2-04: No pass/fail criteria linked to bench acceptance |
MEDIUM |
IMPROVED — SWE.6 has 8 qualification scenarios with acceptance criteria. Not yet mapped to customer bench acceptance criteria. |
| A2-05: No signal logging to standard formats |
LOW |
REMAINS |
Verdict: CONDITIONAL PASS (unchanged). Phase 3 is still the blocker.
Auditor 3: Functional Safety Engineer (ISO 26262)
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A3-01: DIAG → safe-state path non-functional |
CRITICAL |
REMAINS — DIAG_Handler still logs-only, threshold counters not propagating. Still the #1 priority. However, the path is now fully documented: HARA (12 hazards) → FSC (12 requirements) → TSC (15 requirements) → DIAG config table (85 entries) → FTTI calculations (34 FATAL entries verified ADEQUATE). The fix is engineering work, not discovery. |
| A3-02: No safe-state verification |
HIGH |
REMAINS — blocked by A3-01. Test cases written in SWE.6 (QT-004 through QT-008) but can't execute until DIAG propagation works. |
| A3-03: Interlock hardcoded |
HIGH |
REMAINS — documented in HSI as stub. SIL override exists (0x7E0) but untested. |
| A3-04: No watchdog equivalent |
HIGH |
REMAINS — documented in HSI. No software watchdog added. |
| A3-05: No FMEA/FMEDA traceability |
MEDIUM |
FIXED — Full FMEA with 19 failure modes (ISO26262-part5-FMEA.md). Traceability matrix links failure modes to DIAG IDs to tests. HITL-locked FTTI verdicts. |
| A3-06: IVT redundancy untested |
MEDIUM |
REMAINS — documented in HSI. |
New Assessment
| ID |
Severity |
Finding |
| A3-07 |
POSITIVE |
HARA with 12 hazards, ASIL determinations, safety goals — all HITL-locked. This is assessor-ready. Reverse-engineered from code but technically sound. |
| A3-08 |
POSITIVE |
FTTI calculations for all 34 FATAL DIAG entries, all verified ADEQUATE against physical process times. HITL-locked. |
| A3-09 |
POSITIVE |
ASIL decomposition document explains MOL/RSL/MSL → QM/B(D)/D(D) allocation. |
| A3-10 |
MEDIUM |
HARA, FSC, TSC, FMEA are reverse-engineered, not from a formal HAZOP session. An assessor may question the method. Add a "Method" section to HARA stating it was derived from diagnostic configuration analysis + public battery safety literature. |
Verdict: FAIL for safety validation (unchanged — A3-01 DIAG propagation). But the documentation is now assessor-ready once the engineering fix is in place.
Auditor 4: BMS Algorithm Developer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A4-01: No reference SOC for accuracy measurement |
HIGH |
REMAINS — plant model still doesn't publish ground-truth SOC on CAN. |
| A4-02: Balancing never exercises |
HIGH |
REMAINS — per-cell noise NOT DONE (PLAN.md 2.5). |
| A4-03: No charge scenario |
MEDIUM |
REMAINS |
| A4-04: SOE/SOF on static values |
MEDIUM |
REMAINS |
| A4-05: No algorithm comparison framework |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A4-06 |
POSITIVE |
foxbms-upstream/software/application/algorithm.md and balancing.md now document the SOC counting method and balancing strategies. A student knows what to implement. |
| A4-07 |
POSITIVE |
ML integration proposal (docs/business/proposal-ml-integration.md) provides a clear path to SOC LSTM comparison. Not implemented but well-designed. |
Verdict: PARTIAL PASS (unchanged). Algorithm work blocked on plant model improvements.
Auditor 5: CAN Protocol Engineer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A5-01: No CAN TX period validation |
HIGH |
REMAINS |
| A5-02: No E2E protection |
HIGH |
REMAINS |
| A5-03: No DBC verification |
MEDIUM |
IMPROVED — foxbms-upstream/dbc/foxbms-signals-summary.md documents all CAN IDs, signals, and encoding from the official DBC. Still no automated round-trip decode test. |
| A5-04: canTransmit doesn't simulate TX failure |
MEDIUM |
REMAINS |
| A5-05: CAN FD not supported |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A5-06 |
POSITIVE |
CAN module fully documented in foxbms-upstream/software/driver/can.md — TX/RX callbacks, mailbox config, helper functions, reception flow. |
| A5-07 |
POSITIVE |
HITL lock on CAN_BIG_ENDIAN_TABLE and DECAN_DATA_IS_VALID — the two discoveries most likely to be accidentally reverted. |
Verdict: CONDITIONAL PASS (unchanged). CAN content is correct; protocol behavior not simulated.
Auditor 6: Test Automation Engineer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A6-01: No CI pipeline |
HIGH |
FIXED — .github/workflows/ci.yml with 3 jobs: smoke test (build + vcan + test_smoke.py), traceability (trace-gen.py --check), full test suite (4 suites). |
| A6-02: Test independence not verified |
MEDIUM |
REMAINS — no explicit cleanup between suites in CI. |
| A6-03: No test coverage measurement |
MEDIUM |
REMAINS — no gcov/lcov. |
| A6-04: No test result history |
LOW |
IMPROVED — CI uploads artifacts. No JUnit XML yet. |
| A6-05: Flaky test risk |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A6-06 |
POSITIVE |
trace-gen.py scans 308 IDs across 29 documents, validates bidirectional links, detects broken refs and untested leaves. Runs in CI. Pure stdlib, no pip deps. |
| A6-07 |
POSITIVE |
Traceability guide (docs/aspice-cl2/00-assessment/traceability-guide.md) explains how to add trace tags and fix issues. |
| A6-08 |
MEDIUM |
CI workflow references test_integration.py, test_asil.py, test_sil_probes.py but these require the foxbms-vecu binary built on Ubuntu with vcan. CI runner must support sudo modprobe vcan. GitHub-hosted runners may not allow this. Self-hosted runner or Docker-based CI needed. |
Verdict: PASS (was: NOT READY). CI exists, traceability is automated. Minor runner configuration needed.
Auditor 7: DevOps / Build Engineer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A7-01: No Docker build |
HIGH |
REMAINS — PLAN.md 4.1 still NOT DONE. |
| A7-02: Patch fragility |
MEDIUM |
REMAINS — apply_all.sh has version check but patches could break on foxBMS update. |
| A7-03: No pinned compiler version |
MEDIUM |
IMPROVED — CI pins Ubuntu 24.04 + GCC 13 + Python 3.12. Local builds still depend on system GCC. |
| A7-04: HALCoGen headers are binary blob |
LOW |
REMAINS |
| A7-05: No Makefile install target |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A7-06 |
POSITIVE |
Configuration management plan (docs/aspice-cl2/15-SUP.8/) documents Git workflow, patch management, tool versions, release process. |
| A7-07 |
POSITIVE |
File organization clean — 73 docs properly categorized in docs/ subdirectories. No scattered files at root. |
Verdict: CONDITIONAL PASS (improved from v1). Docker is still the main gap.
Auditor 8: Data / Observability Engineer
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A8-01: No time-series logging to file |
MEDIUM |
REMAINS |
| A8-02: No DBC for probe messages |
MEDIUM |
REMAINS |
| A8-03: Probe rate fixed at 100ms |
LOW |
REMAINS |
| A8-04: No Grafana/InfluxDB integration |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A8-05 |
POSITIVE |
Auto-generated traceability matrix (380 lines) provides observability into documentation health — 308 IDs, coverage percentages, gap lists. |
Auditor 9: New Team Member / Student (Onboarding)
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A9-01: No architecture diagram |
MEDIUM |
FIXED — SYS.3 system architecture has full ASCII block diagram, task allocation table, CAN interface spec, safety path diagram. SWE.2 has module dependency diagram. |
| A9-02: No "how to add a stub" guide |
MEDIUM |
IMPROVED — foxbms-upstream docs cover every module. HSI document maps all stubs. Not a step-by-step procedure but enough to follow the pattern. |
| A9-03: No glossary |
LOW |
IMPROVED — SWE.1 has a Definitions section. foxbms-upstream/INDEX.md has a quick-reference table. Not a standalone glossary but covers the key terms. |
| A9-04: Phase 3 blockers unexplained |
LOW |
FIXED — foxbms-upstream/software/engine/diag.md explains threshold counters in detail. PLAN.md Phase 3 blockers reference specific DIAG mechanisms. docs/aspice-cl2/10-SWE.3 has the complete 85-entry DIAG table. |
New Assessment
| ID |
Severity |
Finding |
| A9-05 |
POSITIVE |
24 foxBMS upstream reference docs — a student can understand BMS state machine, DIAG handler, CAN protocol, SOA checks, balancing, precharging without reading source code. |
| A9-06 |
POSITIVE |
Traceability guide teaches the requirement ID scheme and how to add trace tags. |
| A9-07 |
POSITIVE |
HITL locks prevent a student from accidentally breaking debugged values (SBC=2, DECAN=1, main loop timing). |
| A9-08 |
POSITIVE |
docs/business/ contains the strategic context (ML integration, customer pipeline, HIL plan) — student understands WHY this project exists, not just HOW. |
Verdict: PASS (was: CHALLENGING). Documentation is now comprehensive enough for student handoff.
Auditor 10: Product Owner / Customer-Facing
v1 Findings Status
| v1 Finding |
v1 Severity |
v2 Status |
| A10-01: No demo script |
HIGH |
REMAINS — still no rehearsed 5-minute demo. |
| A10-02: No visual output |
HIGH |
REMAINS — still terminal + hex CAN frames. |
| A10-03: Phase 3 is the customer's question |
MEDIUM |
REMAINS — fault injection still 0/11. |
| A10-04: No comparison slide |
MEDIUM |
FIXED — docs/business/pipeline-reusable.md has the complete competitive comparison (dSPACE, Vector, ETAS, MathWorks, in-house, consulting firms). docs/business/plan-hil-data-capture.md has the service tiers and pricing signals. |
| A10-05: License clarity |
LOW |
REMAINS |
New Assessment
| ID |
Severity |
Finding |
| A10-06 |
POSITIVE |
27 ASPICE documents + 6 ISO 26262 safety analyses = credibility package. "We have a HARA, FSC, TSC, FMEA, and FTTI for our demo BMS" is something no other open-source BMS project can claim. |
| A10-07 |
POSITIVE |
Business docs (pipeline, feasibility, HIL plan, service tiers) form a complete consulting pitch. Not just a tech demo. |
| A10-08 |
MEDIUM |
The ASPICE package is impressive but could be perceived as AI-generated (which it is). Need to add review records and sign-off dates to make it credible to an assessor. |
Verdict: CONDITIONAL PASS (improved from NOT READY). Credibility package exists. Demo and visual still missing.
Cross-Auditor Summary: v1 → v2 Delta
| Category |
v1 |
v2 |
Change |
| CRITICAL findings |
1 |
1 |
A3-01 DIAG propagation remains — this is engineering work, not documentation |
| HIGH findings |
9 |
4 |
5 resolved (fidelity doc, CI, FMEA, Phase 3 docs, comparison doc) |
| MEDIUM findings |
12 |
8 |
4 resolved (architecture diagram, glossary, Phase 3 explanation, CAN docs) |
| LOW findings |
5 |
4 |
1 resolved |
| POSITIVE findings |
0 |
16 |
New category — things that exceed expectations |
| ASPICE documents |
0 |
29 |
Complete CL2 package |
| ISO 26262 safety docs |
0 |
9 |
HARA, FSC, TSC, FMEA, FTTI, HSI, safety reqs, traceability, ASIL decomp |
| Traced requirement IDs |
0 |
308 |
Automated bidirectional traceability |
| HITL-protected sections |
0 |
37 |
Safety-critical content locked |
| CI pipeline |
None |
3 jobs |
Smoke test + traceability + full suite |
| foxBMS upstream docs |
0 |
24 |
Complete module reference |
| Business/service docs |
0 |
4 |
Pipeline, proposals, HIL plan, feasibility |
Top 5 Priorities (unchanged order, reduced count)
| # |
Finding |
Severity |
Effort |
Impact |
| 1 |
A3-01: DIAG → safe-state propagation |
CRITICAL |
2-3 days |
Unblocks Phase 3, validates all safety docs |
| 2 |
A2-02: Phase 3 fault injection 0/11 |
HIGH |
2-3 weeks |
Core value proposition |
| 3 |
A7-01: Dockerfile |
HIGH |
Half day |
Reproducible builds, enables CI |
| 4 |
A10-01/02: Demo script + visual |
HIGH |
1 day |
Enables customer conversations |
| 5 |
A4-01: Plant model ground-truth SOC |
HIGH |
10 lines |
Enables algorithm validation |
Bottom Line
v1: Technically sound, documentation gap, no process evidence.
v2: Technically sound, documentation complete, process evidence emerging, 1 engineering blocker remains (DIAG propagation). The project went from "good SIL with no docs" to "auditable ASPICE CL2 package waiting for one code fix."
The 63-hour CL2 gap estimate from cl2-gap-assessment.md is now down to roughly 40 hours — the documentation, traceability, and CI work done in this session eliminated ~23 hours of the original estimate.