← ODIN'S INSIGHT

FENRIR

Failure Analysis Engine · The Bound Wolf
ODIN'S INSIGHT·DRAFT v0.2·2026-07-13

The gods knew the wolf would one day break loose and devour the world. They did not wait. They named the risk, forged Gleipnir, and bound it — and Týr paid a hand for the binding. Fenrir does the same work: it names the catastrophic failure before it happens and binds it with analysis and mitigation. The hand given up is the design constraint accepted to keep the system safe.

Place in the Product Family

Bifrost
What must be true? The NFSI constraint model and the living Requirements Library.
Norn
Given what you need, what requirements must exist at every layer?
Fenrir
What can fail, how badly, and what binds it?

Fenrir is a design FMEA (dFMEA) engine: function-level failure analysis. It is database-agnostic by construction — every source-system access goes through an adapter contract, and Bifrost is adapter v1. A future DOORS or Jama adapter changes nothing in Fenrir's core.

Fenrir is opinionated about methodology (function-anchored dFMEA, graph-first) and unopinionated about where the engineering data lives. These are independent axes.

Two Elements, One Relation

END EFFECT FAILURE ELEMENT PROPAGATES →

This mirrors the Bifrost relationship philosophy — named elements connected by named, directional relations (Fulfils, Decompose, Bind).

End Effect
Loss of vehicle mobility
S · 9
End Effect
Safety hazard to crew
S · 8
PROPAGATES
ƒ Function · source
Maintain tyre pressure within tolerance
Failure Mode
Fails to maintain tyre pressure within tolerance
S·9 (inherited, max) · AP·H
PROPAGATES
Cause
Violated: valve seal degradation limit
O·7 · D·4 · RPN·252
Cause
Violated: regulator calibration requirement
O·5 · D·6 · RPN·270
One graph · roles are positions, not types

The graph is the source of truth

The FMEA is the propagation graph. The traditional flat FMEA table is a calculated view — each row one path, End Effect ← Mode ← Cause, with risk columns denormalised onto it — generated on demand for review and export (xlsx), never edited directly.

Risk computation

Bifrost Integration

Adapter status. The Bifrost adapter (v1) still maps each Function to a single Solution node (R1). But Solution-Requirement location is now derived, not stored: the adapter calls Bifrost's /architecture/derived-locations and uses each SR's effective_node_id — the LCA node for cross-branch SRs. The stored architecture_node_id is legacy and ignored. True multi-node rendering of a single SR remains a future target.

Auto-generation — failure modes as the negative space of requirements

STEP 1

Scope

Select a Solution Architecture node. Its subtree defines the function set in scope.

STEP 2

Modes

Every Function yields a failure-mode candidate: "Fails to: …". Expandable — a function can fail in many ways.

STEP 3

Causes

Every fulfilling Solution Requirement yields a cause: "Violated: …" — a constraint that must hold, not holding.

STEP 4

Trace

Every mode carries a function reference, every cause a requirement ID. Coverage is answerable mechanically.

Generation is idempotent: re-running never duplicates and never overwrites user-authored work.

Scoped analysis per Solution node

Industry practice runs FMEA sessions per subsystem. Fenrir supports this as a viewport, not a partition: there is one FMEA per project — one graph — and selecting a Solution node scopes the view to its functions, their failure elements, one Propagates hop above and below, and all End Effects, always. The graph stays whole; the scope is a lens.

Writeback — closing the loop

A Mitigation can be proposed back to the source system as a draft requirement. Governance is strict: it lands in the project, never the Library; it is proposed into the Solution layer by default — mitigations are typically controls or architectural constraints, with layer selection by type a future extension; promotion happens exclusively through Bifrost's Release Gate; statements are prefixed [Fenrir mitigation] and tagged in custom_attrs (origin: fenrir, kind: mitigation, fenrir_fmea: <ref>) for filtering and audit.

Each mitigation carries a persisted writeback lifecycle — none → proposed → accepted → rejected — orthogonal to its implementation status. On a successful proposal it records the draft's id in writeback_ref and advances to proposed; re-proposing an already-proposed mitigation is rejected with HTTP 409, so a double click never creates a duplicate draft.

Fenrir
derives constraints from risk analysis of the present design
Bifrost
governs both into the living Requirements Library
— a closed loop no standalone FMEA tool in the Tier 2 space offers —

Methodology Rules

1

Severity is owned at the End Effect, inherited downward; the highest value wins on multiple inheritance.

2

Occurrence and Detection are owned by the Failure Element and are identical wherever the element appears.

3

Mode and Cause are roles, not types. Position in the graph relative to scope decides the role.

4

The graph is the single source of truth. The flat table is a derived, read-only export artefact.

5

Generation is idempotent. User-authored content is never overwritten.

6

Cycles in Propagates are invalid and rejected at creation.

7

Writeback proposes to the project; the Release Gate decides Library promotion. Fenrir never touches the Library.

8

One FMEA per source project. Scope is a viewport over a single graph, never a data partition.

Architecture Summary

ComponentStackResponsibility
FenrirBackend FastAPI · PostgreSQL · Railway Persisted tables: the FMEA container, the graph model (EndEffect, FailureElement, Propagates, Mitigation), the Adapter registry, and CachedUser. Adapter contract (Bifrost adapter v1), risk services, flat-view builder, xlsx export, writeback. Exposes / and /health for liveness and build identity.
FenrirWorkbench Next.js 15 · TypeScript · React Flow · Vercel Login → project → three-pane workspace: architecture tree, propagation canvas, attribute panel. Per-node scoping.
Identity Bifrost Single identity authority for the product family. Source-system calls run under the requesting user's token.