[trustable-software] OpenControl, Mustard
Paul Sherwood
paul.sherwood at codethink.co.uk
Mon Sep 12 14:23:08 UTC 2016
Hi folks,
in discussions elsewhere over recent weeks, I learned that production
of safety-critical software rests heavily on compliance processes and
the need to demonstrate traceability from requirements to code, and
back.
This creates a significant hurdle for considering safety-critical
re-use of existing projects (especially FOSS projects), where the
solution has evolved over time, without explicit definition of
requirements. This would apply to many 'agile' solutions too.
I can't argue against the need - aving traceability, plus the ability
to assess compliance (or uncompliance) against requirements seems
fundamental for achieving some if the higher levels of trustability in
software. I'd say it's necessary, but not sufficient, as highlighted by
previous comments on this list.
So I've started thinking about what FOSS traceability and compliance
could look like, and it occurred to me that even at the top level we'd
need actual software to frame and manage the documentation/process,
otherwise we're bound to end up disconnected from reality.
Which leads me to mention a couple of existing projects...
OpenControl
===========
My colleague Rob Taylor reminded me about the OpenControl project [1],
which aims to be 'a YAML-powered antidote to bureaucracy'. Basically the
idea is to use YAML as a way of describing controls, so that
documentation (for example compliance documentation) can be managed,
manipulated and used like code.
This seems to me to be another example of some work which has
originated in another domain (here web security and compliance) that
could maybe be extended and repurposed to deeper systems software. I
haven't really dug into the existing implementation, but I'm guessing it
might be possible to map a model like OpenSAMM into YAML
Mustard
=======
A few years ago Codethink created Mustard, a small project to provide a
bare-bones implementation of the Automotive SPICE model [1] - it uses
YAML to represent user-readable metadata for the stages in SPICE, with
git to track their evolution over time. We've used Mustard on a few
projects where engineers don't need or can't face the burden of IBM
DOORS.
So what?
========
I'm starting to imagine a whole framework of metadata flow from
compliance and requirements, through build instructions to test
specifications, with YAML as the lingua franca, and everything in Git.
Any thoughts on this? Any other examples of prior art we can consider?
br
Paul
[1] http://opencontrol.xyz
[2] https://github.com/CodethinkLabs/mustard
More information about the trustable-software
mailing list