Risk Assessment (FMEA)
Document reference: GFTCL-RA-001 · Framework: GAMP 5 Category 5 · ICH Q9 risk principles
FortressAI Research Institute · Norwich, Connecticut
Patents: USPTO 19/460,960 · USPTO 19/096,071 — © 2026 Richard Gillespie
A risk-based assessment of the functions whose failure would most affect data
integrity, value safety, or compliance. Severity (S), Occurrence (O), and Detection (D)
are scored 1–5; RPN = S×O×D drives the depth of qualification per function.
---
Failure-mode analysis
| # | Function | Failure mode | Effect | S | O | D | RPN | Control |
|---|---|---|---|---|---|---|---|---|
| R1 | Append-only persistence | Record altered/deleted | Loss of data integrity | 5 | 1 | 1 | 5 | DB UPDATE/DELETE abort triggers; SHA-256 witness; IQ schema check |
| R2 | Private-key handling | Key exposed via output/log/mesh | Loss of custody | 5 | 1 | 1 | 5 | Mode-0600 file; CLI refuses export; pre-commit audit grep |
| R3 | Federation cosignature | Row unsigned / unverifiable | Loss of attribution | 4 | 1 | 1 | 4 | signature_quintet per row; federation verify; MQ tests |
| R4 | Bounded authority | Franklin acts outside bounds | Unauthorized operation | 5 | 1 | 2 | 10 | Authority TOML bounds; refused-set; V184 audit |
| R5 | Constitutional floor | Harmful op not refused | Constitutional breach | 5 | 1 | 1 | 5 | C-007…C-010 per measurement (V174) |
| R6 | Exact arithmetic | Float drift in value amount | Value error | 4 | 1 | 1 | 4 | IntRational; floats refused at column |
| R7 | Non-mainnet leakage | testnet/sim path in production | Wrong-network loss | 5 | 1 | 1 | 5 | Pre-commit audit grep; no sim mode |
| R8 | Session replay | Chain not reproducible | Audit failure | 4 | 1 | 2 | 8 | V172 anchors; qc020 replay re-verify |
| R9 | Configuration absence | Daemon uses unsafe default | Mis-target | 5 | 1 | 1 | 5 | Daemon refuses to start without required config |
| R10 | Capacity scaling | Invariant breaks at scale | Measurement error | 4 | 1 | 2 | 8 | Invariants proven identical at any allocation; OQ/PQ |
Risk priorities
The highest residual attention is on R4 (bounded authority), R8 (replay), and
R10 (capacity) — each carries the deepest qualification coverage (OQ + PQ +
dedicated MQ tests). All controls are verified; no failure mode is left without a
detect-and-refuse control.
Risk acceptance
Residual risk is acceptable: every high-severity failure mode has an occurrence control
and a detection control, and every control traces to a qualification check in the
RTM. New functions are added to this FMEA before
they ship (see Change Control).
---
*Federation cosignature: pending — gaiaftcl wiki sign --section GAMP5.*
d8fa2bdaa3155d371252b1c3fbf2a43317aca3540fe1c8b5112ca85cdc738f6a.
This page serves with a substrate-honest pending-signature notice until the operator's Franklin signer cosigns it.