--- nc-id: NC-001 project: demo-epb date-discovered: 2026-05-11 severity: Critical status: Closed --- # Non-Conformity NC-001: Step counter overflow not documented | Field | Value | |---------------------|-----------------------------------| | NC ID | NC-001 | | Project | demo-epb | | Date discovered | 2026-05-11 | | Discovered by | Review REV-001 | | Affected artefact | `src/apply_controller.c` | | Requirement | SWE-002 (watchdog) | | Severity | Critical | | Status | Closed | --- ## 1. Description `step_count` in the apply controller is declared as `uint32_t` and is monotonically incremented in `apply_ctrl_step_50ms`. At 50 ms/tick the counter overflows after 2^32 * 50 ms ≈ 6.8 years. The watchdog in SWA-002 only compares the delta between two reads (wrap-around safe), but the behaviour is not documented in the header and may lead to errors in subsequent maintenance. ## 2. Risk assessment | Aspect | Assessment | |-------------------|-------------------------------------------------------------------| | Effect | In theory false-negative watchdog on wrap-around comparison | | Likelihood | Very low (6.8 years lifetime) | | Safety contribution | Indirect — watchdog is part of the SG-01 implementation | ## 3. Immediate action Header comment in `apply_controller.h` extended: explicit description of wrap-around behaviour. The watchdog implementation (in SWA-001) must use `uint32_t` subtraction for delta comparison (wrap-safe). ## 4. Corrective action (root cause) Add the checklist item "document integer overflow behaviour" to the code-review checklist. Verify in subsequent reviews. ## 5. Verification - Comment in `apply_controller.h` v1.1 (commit ``) - Watchdog in SWA-001 uses `uint32_t` subtraction (see SWA-001 §4) - Review checklist updated ## 6. Closure Closed on 2026-05-11 by S. Lohmaier after verification.