[Jlab_software] [Sw_assurance] Help With Software Assurance Scope

[Matt Bickley]

Kelly Mahoney wrote:
   <snipped>
> This procedure only applies to security software configuration items 
> insofar as the impact ineffective security software controls may 
> materially affect operations and safety. 

Kelly,
    Did you mean the paragraph above to refer to cybersecurity in
particular, or do you really want to include all security
software in the scope?

Graham Heyes wrote:
> As far as FPGAs are concerned they should be exempt in everything except safety interlocks and systems controlling hardware that would cause damage or injury if the FPGA misbehaved.

I don't agree with Graham.  A QA process doesn't just try
to protect us from misbehaving software, it also ensures
that we can maintain and support our software products.  If we
have an FPGA critical to data acquisition and programmed with code
that lives on some person's PC (and not backed up), and that person
leaves the lab, what does the lab do if it needs to be modified?
Who knows where the code is, or what it does?  A good QA process will
ensure we have the documentation and data to continue to provide
support.  Without the QA process the lab would have to start over.

-- 
Matthew Bickley                       Email: bickley at jlab.org
Computer Scientist                    Telephone: 757-269-7347
TJNAF