[trustable-software] OpenControl, Mustard

Paul Sherwood paul.sherwood at codethink.co.uk
Mon Sep 12 14:23:08 UTC 2016


Hi folks,
in discussions elsewhere over recent weeks, I learned that production 
of safety-critical software rests heavily on compliance processes and 
the need to demonstrate traceability from requirements to code, and 
back.

This creates a significant hurdle for considering safety-critical 
re-use of existing projects (especially FOSS projects), where the 
solution has evolved over time, without explicit definition of 
requirements. This would apply to many 'agile' solutions too.

I can't argue against the need - aving traceability, plus the ability 
to assess compliance (or uncompliance) against requirements seems 
fundamental for achieving some if the higher levels of trustability in 
software. I'd say it's necessary, but not sufficient, as highlighted by 
previous comments on this list.

So I've started thinking about what FOSS traceability and compliance 
could look like, and it occurred to me that even at the top level we'd 
need actual software to frame and manage the documentation/process, 
otherwise we're bound to end up disconnected from reality.

Which leads me to mention a couple of existing projects...

OpenControl
===========
My colleague Rob Taylor reminded me about the OpenControl project [1], 
which aims to be 'a YAML-powered antidote to bureaucracy'. Basically the 
idea is to use YAML as a way of describing controls, so that 
documentation (for example compliance documentation) can be managed, 
manipulated and used like code.

This seems to me to be another example of some work which has 
originated in another domain (here web security and compliance) that 
could maybe be extended and repurposed to deeper systems software. I 
haven't really dug into the existing implementation, but I'm guessing it 
might be possible to map a model like OpenSAMM into YAML

Mustard
=======
A few years ago Codethink created Mustard, a small project to provide a 
bare-bones implementation of the Automotive SPICE model [1] - it uses 
YAML to represent user-readable metadata for the stages in SPICE, with 
git to track their evolution over time. We've used Mustard on a few 
projects where engineers don't need or can't face the burden of IBM 
DOORS.

So what?
========
I'm starting to imagine a whole framework of metadata flow from 
compliance and requirements, through build instructions to test 
specifications, with YAML as the lingua franca, and everything in Git.

Any thoughts on this? Any other examples of prior art we can consider?

br
Paul

[1] http://opencontrol.xyz
[2] https://github.com/CodethinkLabs/mustard



More information about the trustable-software mailing list