Risk Assessment (FMEA)¶
Document reference: GFTCL-RA-001 ยท Framework: GAMP 5 Category 5 ยท ICH Q9 risk principles
FortressAI Research Institute ยท Norwich, Connecticut Patents: USPTO 19/460,960 ยท USPTO 19/096,071 โ ยฉ 2026 Richard Gillespie
A risk-based assessment of the functions whose failure would most affect data integrity, value safety, or compliance. Severity (S), Occurrence (O), and Detection (D) are scored 1โ5; RPN = SรOรD drives the depth of qualification per function.
Failure-mode analysis¶
| # | Function | Failure mode | Effect | S | O | D | RPN | Control |
|---|---|---|---|---|---|---|---|---|
| R1 | Append-only persistence | Record altered/deleted | Loss of data integrity | 5 | 1 | 1 | 5 | DB UPDATE/DELETE abort triggers; SHA-256 witness; IQ schema check |
| R2 | Private-key handling | Key exposed via output/log/mesh | Loss of custody | 5 | 1 | 1 | 5 | Mode-0600 file; CLI refuses export; pre-commit audit grep |
| R3 | Federation cosignature | Row unsigned / unverifiable | Loss of attribution | 4 | 1 | 1 | 4 | signature_quintet per row; federation verify; MQ tests |
| R4 | Bounded authority | Franklin acts outside bounds | Unauthorized operation | 5 | 1 | 2 | 10 | Authority TOML bounds; refused-set; V184 audit |
| R5 | Constitutional floor | Harmful op not refused | Constitutional breach | 5 | 1 | 1 | 5 | C-007โฆC-010 per measurement (V174) |
| R6 | Exact arithmetic | Float drift in value amount | Value error | 4 | 1 | 1 | 4 | IntRational; floats refused at column |
| R7 | Non-mainnet leakage | testnet/sim path in production | Wrong-network loss | 5 | 1 | 1 | 5 | Pre-commit audit grep; no sim mode |
| R8 | Session replay | Chain not reproducible | Audit failure | 4 | 1 | 2 | 8 | V172 anchors; qc020 replay re-verify |
| R9 | Configuration absence | Daemon uses unsafe default | Mis-target | 5 | 1 | 1 | 5 | Daemon refuses to start without required config |
| R10 | Capacity scaling | Invariant breaks at scale | Measurement error | 4 | 1 | 2 | 8 | Invariants proven identical at any allocation; OQ/PQ |
Risk priorities¶
The highest residual attention is on R4 (bounded authority), R8 (replay), and R10 (capacity) โ each carries the deepest qualification coverage (OQ + PQ + dedicated MQ tests). All controls are verified; no failure mode is left without a detect-and-refuse control.
Risk acceptance¶
Residual risk is acceptable: every high-severity failure mode has an occurrence control and a detection control, and every control traces to a qualification check in the RTM. New functions are added to this FMEA before they ship (see Change Control).
Federation-cosigned
This page's source is sealed in the GaiaFTCL federation manifest โ page SHA-256 f4a67d9a05f33f7cโฆ, manifest witness a090592e0609adc8โฆ, signed 2026-06-02T18:58:22Z by cell gaiaftcl-mac-cell. Verify with gaiaftcl wiki sign --all and compare wiki-all-signatures.json.