Benjamin Admin
a0f72fc39b
Roadmap item 2: the RTS now pin MaschinenVO + convergence Expected Outcomes, so the convergence USP is a living regression, not just a one-off section. - RTS-003 (machine + ISMS, networked): full multi-regulation archetype — maschinenvo expected_delta + convergence expected_multi_target (links TP-ISO27001-CRA-MaschinenVO-v1). Generator runs the convergence pattern through RS-005: 4/4 machine-safety delta MISSING + 4/4 expected multi-target caps converge. PASS. - RTS-001 (component): MaschinenVO modeled as `uncertain` (a pure component is usually not a machine; deciding question is_safety_component) — engine must never assert it applies. Honest, parallel to the Data-Act handling. - RTS-002 (machine, QMS-only): MaschinenVO `applies` (is_machine) but LOW convergence — no ISMS means the cyber side is entirely delta, so few caps are shared. The honest contrast that the convergence USP rewards companies who already run an ISMS. - generator: per-RTS maschinenvo/convergence Soll-Ist checks; convergence pattern run once and reused. Data Act stays `uncertain` everywhere, never asserted. All 3 RTS PASS. 18 tests (transition+company), mypy --strict clean, check-loc 0. Non-runtime (knowledge + reference harness) -> no deploy (ADR-001). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
61 lines
2.5 KiB
YAML
61 lines
2.5 KiB
YAML
# Reference Transition Scenario — ANONYMIZED ARCHETYPE ONLY (no real company names stored).
|
|
id: RTS-002
|
|
archetype: "Classic machine builder with only a QMS — precision systems, CE products, no ISMS"
|
|
note: "Anonymized typical starting situation; illustrative only. Contrast to RTS-001: a much LARGER delta."
|
|
|
|
reference_company:
|
|
sector: mechanical_engineering
|
|
known_certifications: [ISO9001]
|
|
product_traits:
|
|
is_machine: true
|
|
is_component: false
|
|
has_embedded_software: true
|
|
connected_to_internet: false # often not connected -> Data Act less likely, still a question
|
|
has_remote_access: null
|
|
generates_usage_data: null
|
|
market: [EU]
|
|
|
|
transition_goal:
|
|
from: [ISO9001]
|
|
to:
|
|
- target: CRA
|
|
pattern: TP-ISO9001-CRA-v1
|
|
- target: MaschinenVO
|
|
pattern: null
|
|
note: applies_machine_safety # is_machine: true -> settled second target (machine safety side)
|
|
|
|
expected_outcome:
|
|
cra:
|
|
pattern: TP-ISO9001-CRA-v1
|
|
# A QMS gives only process discipline...
|
|
expected_likely_covered_at_least:
|
|
- document_and_change_control
|
|
- supplier_evaluation
|
|
- release_and_approval_process
|
|
# ...so the CRA delta is LARGE — nearly the whole security set.
|
|
expected_delta_at_least:
|
|
- product_cyber_risk_assessment
|
|
- secure_development_lifecycle
|
|
- technical_vulnerability_management
|
|
- coordinated_vulnerability_disclosure
|
|
- sbom_creation
|
|
- security_update_support_period
|
|
- secure_signed_update_distribution
|
|
- exploited_vuln_and_incident_reporting
|
|
- ce_conformity_assessment_and_technical_documentation
|
|
expected_delta_much_larger_than: RTS-001 # regression: ISO9001 leaves more open than ISO27001
|
|
maschinenvo:
|
|
expectation: applies # is_machine: true -> settled (not uncertain like RTS-001's component)
|
|
expected_delta_at_least:
|
|
- machine_safety_risk_assessment
|
|
- mechanical_safety_and_guards
|
|
- operating_instructions_and_safety_information
|
|
low_convergence_note: >
|
|
Unlike RTS-003, a QMS-only builder gets almost NO CRA<->MaschinenVO convergence: with no ISMS the
|
|
cyber side is entirely in the delta, so few capabilities are shared between the two regulations.
|
|
The convergence USP rewards companies that ALREADY have an ISMS — that is the honest contrast.
|
|
data_act:
|
|
expectation: uncertain
|
|
deciding_questions: [connected_product, generates_usage_data, data_act_scope]
|
|
rationale: "Often not a connected product, but applicability is not assumed either way — the engine must ask."
|