Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5fde7690a5f187d3b59b54ec266c8c63f59d4e72
breakpilot-compliance/backend-compliance/knowledge/reference_transition_scenarios/RTS-002.yaml
T
Benjamin Admin f78e03bd0a docs(knowledge): Reference Transition Scenarios (RTS-001..003) + ISO9001->CRA pattern 
Three ANONYMIZED reference transition scenarios (no real company names stored) = canonical
regression scenarios that test the KNOWLEDGE, not just the engine. Each pins an Expected
Outcome (expected_likely_covered + expected_delta); every commit must reproduce it (identical
or better).

- RTS-001 automotive supplier (TISAX+ISO27001) -> CRA: mature ISMS, standard CRA delta.
- RTS-002 classic machine builder (ISO9001) -> CRA: only process discipline -> MUCH larger delta
  (10 missing vs 3 covered). New TP-ISO9001-CRA-v1 pattern (different shape).
- RTS-003 networked machine builder (ISMS) -> CRA: highlights the Data Act.

Data Act is modelled as UNCERTAIN (a hypothesis), never a fixed gilt/gilt-nicht: the generator
checks the engine SURFACES the uncertainty + the deciding question (generates_usage_data) and
never wrongly ASSERTS applicability. All three RTS PASS.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Names deliberately absent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-27 08:46:20 +02:00

51 lines
1.8 KiB
YAML
Raw Blame History

# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
id: RTS-002
archetype: "Classic machine builder with only a QMS — precision systems, CE products, no ISMS"
note: "Anonymized typical starting situation; illustrative only. Contrast to RTS-001: a much LARGER delta."
reference_company:
sector: mechanical_engineering
known_certifications: [ISO9001]
product_traits:
is_machine: true
is_component: false
has_embedded_software: true
connected_to_internet: false # often not connected -> Data Act less likely, still a question
has_remote_access: null
generates_usage_data: null
market: [EU]
transition_goal:
from: [ISO9001]
to:
- target: CRA
pattern: TP-ISO9001-CRA-v1
- target: MaschinenVO
pattern: null
note: pattern_pending
expected_outcome:
cra:
pattern: TP-ISO9001-CRA-v1
# A QMS gives only process discipline...
expected_likely_covered_at_least:
- document_and_change_control
- supplier_evaluation
- release_and_approval_process
# ...so the CRA delta is LARGE — nearly the whole security set.
expected_delta_at_least:
- product_cyber_risk_assessment
- secure_development_lifecycle
- technical_vulnerability_management
- coordinated_vulnerability_disclosure
- sbom_creation
- security_update_support_period
- secure_signed_update_distribution
- exploited_vuln_and_incident_reporting
- ce_conformity_assessment_and_technical_documentation
expected_delta_much_larger_than: RTS-001 # regression: ISO9001 leaves more open than ISO27001
data_act:
expectation: uncertain
deciding_questions: [connected_product, generates_usage_data, data_act_scope]
rationale: "Often not a connected product, but applicability is not assumed either way — the engine must ask."
Reference in New Issue View Git Blame Copy Permalink