<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">As I have written and said earlier the scope is too broad. I do not agree that this should apply to all software development unless it is at a level where we basically say " these folks develop software for their own use and they do their own Q&A". To be sure for business, safety and security systems or systems that deal with motors, high power magnets or cryogenics this Q&A makes sense. On the other hand we have users and staff who develop systems that have worked well and met requirements. They have their own Q&A processes even if that is just "I tested it and it does what I want". Imposing a Q&A process that adds no value onto these people will only reduce their productivity.<div><br></div><div>I suggest that we look carefully at where we want to apply more rigorous Q&A top down then in less critical areas document what we do. </div><div><br></div><div>As far as FPGAs are concerned they should be exempt in everything except safety interlocks and systems controlling hardware that would cause damage or injury if the FPGA misbehaved.</div><div><br></div><div>My 10c worth, regards,</div><div><br></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Graham</div><div><br><div><br><div><div>On Jul 27, 2009, at 8:48 AM, Kelly Mahoney wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"> <div bgcolor="#ffffff" text="#000000"> As some of you know, the QA/CI department is developing a "Software Control" procedure as part of the Lab's overall QA framework. Many comments on the draft document have to do with the scope. Basically, the document must apply to all JLab software development - everyone needs some form of software assurance with some minimum set of attributes that depend on how important the software is to the lab. However, we have to use a little common sense and know that not every little piece of software is subject to the QA process. This makes the definition of the scope of the procedure very important. I include a copy of the latest draft scope below. <br> 1.) If you would, take a look and give me some constructive feedback on how it can be both more succinct and utile to you.<br> 2.) How should the scope apply to contractors, users, ...etc?<br> 3.) I would like to hear your opinion on the applicability to reconfigurable devices like FPGAs. (NASA and DOD handle them similarly.)<br> <br> Thanks,<br> <br> Kelly<br> <br> <h1 style="text-align: justify; text-indent: -0.5in; line-height: 125%;"><a name="_Toc234028251"><!--[if !supportLists]--><span style="font-family: "Arial Bold","sans-serif"; color: rgb(0, 112, 192);"><span style="">1</span></span><small><small><span style="color: rgb(0, 112, 192);">Scope</span></small></small></a><span style="color: rgb(0, 112, 192);"><o:p></o:p></span></h1><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style="color: rgb(0, 112, 192);">The scope of this procedure compliments the JLab cyber security enclave structure with the addition of Facilities Management and Safety Systems software.<span style=""> </span>The procedure specifies software assurance activities and requirements for software developed, acquired, and maintained by Jefferson Lab or on behalf of Jefferson Lab. It applies to all JLab projects, programs, facilities and activities that may have an impact on JLab’s mission and goals. This procedure does not specify specific processes or models; rather it provides a set of basic requirements and tools applicable to any lifecycle model.<span style=""> </span><span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style="color: rgb(0, 112, 192);">Individuals responsible for software within each division, department or group that purchases, develops, modifies, or produces software applications that may impact JLab’s mission shall follow the requirements of this procedure. The impact to JLab’s mission and goals is assessed using a software risk assessment tool described in section 4 of this document.<span style=""> </span><span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style="color: rgb(0, 112, 192);"><o:p> </o:p><br> This procedure is applicable to all Jefferson Lab software assurance activities during the entire lifecycle of the software developed or acquired including:<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">internal software development <o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">software used to collect and manage data<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">startup and configuration scripts<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">incorporation of open source software <o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">modified off the shelf (MOTS) software used to design, analyze, or control safety or mission essential aspects of JLab operations.<span style=""> </span><span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><span style="color: rgb(0, 112, 192);">commercial off the shelf (COTS) software used to design, analyze, or control safety or mission essential aspects of JLab operations.<span style=""> </span><span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">programs and firmware for monitoring or control, including IOCs and PLCs<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">modifiable embedded software and firmware including PICs and PC104 type SBCs<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">programs and development software for field programmable integrated circuits such as Field Programmable Gate Arrays.<o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="font-family: Symbol; color: rgb(0, 112, 192);"><span style="">·<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">Other software as defined by the JLab Chief Information Officer.<o:p></o:p></span></p><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style="">Generally, this procedure applies to configuration items that may impact Jefferson Lab’s ability to conduct operations safely and effectively. <span style=""> </span>The impact a software configuration item may have is assessed using the software risk assessment tool referenced in Part 4 of this document.<span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style="color: rgb(0, 112, 192);">This procedure only applies to security software configuration items insofar as the impact ineffective security software controls may materially affect operations and safety.<span style=""> </span><o:p></o:p></span></p><p class="MsoBodyText" style="text-align: justify; line-height: 125%;"><span style=""><o:p> </o:p></span></p> <h2 style="margin-left: 0.5in; text-align: justify; text-indent: -0.5in; line-height: 125%;"><a name="_Toc234028252"><!--[if !supportLists]--><span style="font-family: "Arial Bold","sans-serif"; color: rgb(0, 112, 192);"><span style=""><span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"></span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">Exemptions</span></a><span style="color: rgb(0, 112, 192);"><o:p></o:p></span></h2><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="color: rgb(0, 112, 192);"><span style="">1.<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">This procedure does not apply to unmodified general purpose computing software, unmodified enterprise software, and general purpose desk-top software managed under the IT/CIO Division.<span style=""> </span>Examples include office productivity software, public web pages, and LAN/WAN networking software. <o:p></o:p></span></p><p class="MsoBodyText" style="margin-left: 0.5in; text-align: justify; text-indent: -0.25in; line-height: 125%;"><!--[if !supportLists]--><span style="color: rgb(0, 112, 192);"><span style="">2.<span style="font-family: "Times New Roman"; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal;"> </span></span></span><!--[endif]--><span style="color: rgb(0, 112, 192);">Other software configuration items as excluded in writing by the Jefferson Lab Chief Information Officer (CIO).<span style=""> </span><o:p></o:p></span></p> <br> </div> <span><mahoney.vcf></span>_______________________________________________<br>Sw_assurance mailing list<br><a href="mailto:Sw_assurance@jlab.org">Sw_assurance@jlab.org</a><br>https://mailman.jlab.org/mailman/listinfo/sw_assurance</blockquote></div><br></div></div></body></html>