eclipse-score · hoe-jo · Jun 25, 2026
@@ -35,7 +35,7 @@ The failure modes to consider are defined by the SCORE process:
 
 > [FMEA Fault Models — Process Description](https://eclipse-score.github.io/process_description/main/process_areas/safety_analysis/guidance/fault_models_guideline.html#id1)
 
-The fault models cover three categories: **messages** (send/receive behaviour), **time constraints** (too early / too late), and **execution** (wrong result, loss, delay, corruption, non-determinism). The `GuideWord` enum in the `ScoreReq` model maps each category to a structured label used in the `FailureMode` records.
+The fault models cover three categories: **messages** (send/receive behaviour), **time constraints** (too early / too late), and **execution** (wrong result, loss, delay, corruption, non-determinism). The `guidewords` enum in the `ScoreReq` model maps each category to a structured label used in the `FailureMode` records.
 
 The description below covers the FMEA-based **safety** analysis for a software module.
 
@@ -78,7 +78,7 @@ package MySeooc
 import ScoreReq
 
 ScoreReq.FailureMode FM_001 {
-    guideword     = ScoreReq.GuideWord.LossOfFunction
+    guidewords     = [ScoreReq.guidewords.LossOfFunction]
     description   = "Key-value store returns stale data after power loss"
     failureeffect = "Incorrect system state at startup"
     safety        = ScoreReq.Asil.B

@@ -15,7 +15,7 @@ package SampleLibrary
 import ScoreReq
 
 ScoreReq.FailureMode SampleFailureMode{
-    guideword = ScoreReq.GuideWord.LossOfFunction
+    guidewords = [ScoreReq.guidewords.LossOfFunction]
     description = "SampleFailureMode takes over the world"
     failureeffect = "The world as we know it will end"
     version = 1

@@ -28,7 +28,7 @@ enum Status {
 ///////////////////////////////
 
 abstract type Requirement "Base type for all S-CORE requirements." {
-    description "The normative requirement text. Must express an obligation (shall/should)."
+    description "Detailed description of this element."
                 Markup_String
     version     "Monotonically increasing version counter. Increment on every content change."
                 Integer
@@ -93,7 +93,7 @@ tuple CompReqId {
 // Safety Analyses
 ///////////////////////////////
 
-enum GuideWord "HAZOP-style guide words used to categorize failure mode." {
+enum guidewords "HAZOP-style guide words used to categorize failure mode." {
 
     // -------------------------------------------------------------------------
     // Message fault models  (MF_01_xx)
@@ -145,15 +145,13 @@ enum GuideWord "HAZOP-style guide words used to categorize failure mode." {
 
 }
 
-type FailureMode "A potential failure of a system function, described using a HAZOP guide word." extends ScoreReq.RequirementSafety {
-    guideword      "HAZOP guide word classifying the nature of this failure."
-                   GuideWord
+type FailureMode "A potential failure of a system function, described using one or more HAZOP guide words." extends ScoreReq.RequirementSafety {
+    guidewords      "One or more HAZOP guide words classifying the nature of this failure."
+                   guidewords[1 .. *]
     failureeffect  "Description of the consequence of this failure mode on the system or its users."
                    String
     rationale      "Explanation of why this failure mode is considered relevant."
                    optional String
-    potentialcause "Description of the root cause or triggering condition for this failure mode."
-                   optional String
     interface      "The system interface or signal that is affected by this failure mode."
                    optional String
 }
@@ -181,22 +179,3 @@ type AoU "Assumption of Use — a safety-relevant condition that a caller must f
 
 // abstract type StdReq extends Requirement {
 // }
-
-
-///////////////////////////////
-// Checks
-///////////////////////////////
-
-checks Requirement {
-
-    not matches(description, "(shall|should)"),
-        warning "The description must include (shall|should)",
-	    description
-
-}
-
-checks AssumedSystemReq {
-
-    rationale != null implies len(rationale) >= 5, "rationale too short"
-
-}