-
Notifications
You must be signed in to change notification settings - Fork 60
Conformance example1 prelim system reqs #155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: conformanceexamples
Are you sure you want to change the base?
Changes from all commits
77bf037
e55a869
cd57e5d
ec925f1
40c5aaa
c5806c3
a1070ae
1793414
d570220
1088fff
4a01830
26ea567
c60b21c
7a91cec
221d7a3
3664661
ce5dd88
1ba45aa
d50b720
dea4015
1e55562
68c7e59
e7de528
8cc8823
b45c63a
fa8e363
ae4b4f6
a18dbda
9b8ecaa
803d5d7
cf73326
20513b4
5c6482a
38c8e32
6d79a48
696abc4
950f9b7
89f2362
fdf6704
56ee161
1f8c230
33d74b9
f0655e2
7effb93
3d9ac8e
e9ab535
ac45c4f
0f6519f
f608d5a
af43944
c8d5440
a4a4174
48b9472
c69c550
d388386
3642e35
4b1a97e
5310966
c0259f8
4c29ca6
c650cb7
800e5d3
0c82500
36ad558
97e816c
e442a1a
2b71cf6
1cec0d2
30e863a
f196c71
7529cc7
7f26944
e69197f
9c65117
4c4bfdc
913a337
7ff42e4
3e9854b
59c453f
41d03fc
5f0102e
2f2d5f6
24783e1
7150bc6
87e9517
70140ef
4606656
f0fe721
318964a
ce61e22
d14ade9
9ea2643
56eec7e
4dda8df
a9c267f
ff1cc1a
20c021c
b9467c4
8b8485b
cd74750
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -8,30 +8,172 @@ SPDX-License-Identifier: Apache-2.0 | |
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| The System-of-Interest named SAMPLE is the top-level system in this example. | ||
| The System-of-Interest named SAMPLE is the top-level system in this example. | ||
| <<< | ||
|
|
||
| [[SECTION]] | ||
| TITLE: Conceptual Overview | ||
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| SAMPLE is a Product Line of commodity consumer electronics devices intended for | ||
| markets requiring conformance with the EU Cyber Resilience Act. The range of | ||
| devices supported by this Product Line is expected to expand over time as | ||
| more product types become commoditized. | ||
|
|
||
| For this Product Line, "commodity devices" matches this definition from | ||
| `SUSE.com <https://www.suse.com/topics/definition/commodity-hardware>`__: | ||
|
|
||
| Commodity hardware, sometimes known as off-the-shelf hardware, | ||
| is a computer device or IT component that is relatively inexpensive, | ||
| widely available and basically interchangeable with other hardware of its type. | ||
| Unlike purpose-built hardware designed for a specific IT function, | ||
| commodity hardware can perform many different functions. | ||
| Commodity hardware is usually low-end, broadly compatible and | ||
| can function on a plug-and-play basis with other commodity hardware products. ... | ||
|
|
||
| Generally, commodity hardware can evolve from any technologically mature product. | ||
| Thus, most hardware products that have been on the market for five years or more | ||
| are available in commodity versions. ... | ||
|
|
||
| SAMPLE is expected to be **reused and extended** by | ||
| interested Open-Source Software Projects and Component Manufacturers for | ||
| developing assets conformant with the EU CRA. | ||
| <<< | ||
|
|
||
| [[SECTION]] | ||
| TITLE: Product Line Problem Domain | ||
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| SAMPLE is intended to support at least | ||
| commodity consumer electronics devices. These products may end | ||
| up being used in commercial and/or civil deployments. | ||
| These products are NOT expected to be used in industrial or | ||
| safety-critical deployments. | ||
|
Comment on lines
+52
to
+53
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Short response: "NOT expected" is a negative requirement, or "negative intent" if you prefer. Neither can be proven. It is probably also true that the product is not expected to be used in an infinite number of ways well beyond industrial and safety-critical deployments. Sticking to what IS intended keeps the burden of proof finite. Longer response: While I am certain it would not be difficult to find plenty of examples of manufacturers who specifically intend for their component to be used in industrial or safety-critical deployments, I am not sure that kind of intent is the norm. In my experience an OEM chooses a component for its fitness regardless of what the manufacturer intended of it. At that point, the OEM takes responsibility for the outcome. At the highest levels of criticality, component heritage is defined as the operational track record. The component manufacturer is neither responsible for, nor likely aware of, the operational track record of their products they sell to OEMs (failures notwithstanding).
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct. The EU CRA Annex II item requires the User Documentation to describe "the intended use, including the security environment provided by the manufacturer, as well as the product’s essential functionalities and information about the security properties;" Yes, there are many hardware components that are specifically intended for safety-critical environments (e.g., automotive grade SOCs vs non-automotive grade). I have also run across similar distinctions for RTOS usages (e.g., Green Hills Software product INTEGRITY-178 tuMP Safety-Critical & Security-Critical RTOS vs. Green Hills Software product INTEGRITY RTOS). |
||
|
|
||
| To support growth of the Product Line Solution Domain (solution space) | ||
| with minimal impact on existing assets, the Product Line Problem Domain | ||
| will be the context for evaluating and understanding all System Engineering | ||
| artifacts for SAMPLE. | ||
| <<< | ||
|
|
||
| [[/SECTION]] | ||
|
|
||
| It is expected to be composed of the following subsystems: | ||
| [[SECTION]] | ||
| TITLE: Product Line Solution Domain (Scope) | ||
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| SAMPLE is designed upon the following generic solution framework for products: | ||
|
|
||
| .. raw:: html | ||
|
|
||
| <pre class="mermaid"> | ||
| --- | ||
| title: Topology of Systems-of-Interest | ||
| title: Generic Product Solution Framework | ||
| --- | ||
| stateDiagram-v2 | ||
| state "Cloud-based Services" as MfgCloudSvcs { | ||
| direction LR | ||
| state "Product Support" as PrdSupport { | ||
| direction LR | ||
| state "Documentation <br/>(per Product)" as PrdDocs | ||
| } | ||
| } | ||
|
|
||
| state SAMPLE { | ||
| TBD_Security_Vulnerability_Reporting: TBD <br/> Security <br/> Vulnerability <br/> Reporting <br/> Server | ||
| TBD_Desktop_SW: TBD <br/> Desktop SW | ||
| TBD_Mobile_SW: TBD <br/> Mobile SW | ||
| TBD_Devices: TBD <br/> Device(s) | ||
| TBD_Cloud_SW: TBD <br/> Cloud SW | ||
| TBD_Digital_Component_Update_Server: TBD <br/> Digital <br/> Component <br/> Update <br/> Server | ||
| } | ||
| state "Applications" as MgrApps { | ||
| direction LR | ||
| state "Desktop Applications" as MfgDesktopApps | ||
| state "Mobile Apps" as MfgMobileApps | ||
| } | ||
|
|
||
| state "Devices" as Devices { | ||
| direction LR | ||
| state "Manufacturer Parts" as MfgParts | ||
| } | ||
| </pre> | ||
| <<< | ||
|
|
||
| [[SECTION]] | ||
| TITLE: Feature List | ||
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| As a Product Line evolves the sponsors of the Product Line may require it | ||
| to support a larger solution domain than previously chosen. A best practice | ||
| for Product Line Engineering is to evaluate architectures and designs for | ||
| reusability in reasonably foreseeable scope growth. | ||
|
|
||
| The following Feature List outlines the breadth of product categories | ||
| and functionalities to be considered when describing and evaluating | ||
| SAMPLE requirements and designs. | ||
|
|
||
| .. note:: | ||
| Bold text indicates **invariant feature/value** across Product Line scope. | ||
|
|
||
| Italic text indicates *anticipated expansion* of Product Line scope. | ||
|
|
||
| - User Interface | ||
|
|
||
| - Label(s) | ||
| - Device Status LED(s) | ||
| - Button(s) | ||
| - *Network Activity Indication(s)* | ||
| - *User Authentication via Finger Print* | ||
|
|
||
| - Communication Interfaces | ||
|
|
||
| - USB Device | ||
|
|
||
| - Physical Connector | ||
|
|
||
| - *USB A Male* | ||
| - USB C Male connector | ||
|
|
||
| - Network Interface | ||
|
|
||
| - 100BASE-TX | ||
| - *10BASE-T1L* | ||
| - *802.15.4* | ||
| - *BlueTooth* | ||
| - *WIFI* | ||
|
|
||
| - Functionality | ||
|
|
||
| - Secure Boot | ||
| - Firmware Update | ||
|
|
||
| - On-demand FW Update (pushed to Device) | ||
| - *Automated FW Update (pulled by Device)* | ||
| - *FW Update schedule control <br/>(periods of blocked vs listening vs requesting)* | ||
|
|
||
| - Network Interface | ||
| - *Network Sniffer* | ||
| - *Network Router* | ||
| - *Network Gateway* | ||
| - *Network-Attached Storage (NAS)* | ||
| - *BlueTooth Beacon* | ||
| <<< | ||
|
|
||
| [[/SECTION]] | ||
|
|
||
| [[SECTION]] | ||
| TITLE: Product List | ||
|
|
||
| [TEXT] | ||
| STATEMENT: >>> | ||
| The following are nominal descriptions of the products in SAMPLE: | ||
|
|
||
| - SAMPLE Product 1: a USB-C to 100Base-T Network Interface Dongle | ||
| <<< | ||
|
|
||
| [[/SECTION]] | ||
|
|
||
| [[/SECTION]] | ||
|
|
||
| [[/SECTION]] | ||
|
|
||
| [DOCUMENT_FROM_FILE] | ||
| FILE: ../system_requirements/sdoc/index.sdoc | ||
|
|
||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you talking about a reusable component intended for inclusion in an OEM product for sale direct to consumers? I think the use of the word commoditized is also a little confusing. I can think of a number of reusable components that are branded (not commoditized), but otherwise purport to fulfill an industry specification that may or may not be implemented by others.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am talking about the end products-with-digital-elements being commodity devices. This is informative content rather than normative, so it doesn't have to be proved or verified. Perhaps we need a title/section to make that distinct.
Your question prompted me to look for a definition of "commodity devices". From SUSE.com I found the following:
USB devices (e.g., Thumb drives) are always branded and each has a serial number. The lowest-cost versions that are functionally identical and provide only standard USB interfaces that pull in common drivers provided by the OS vendor are essentially commodity devices. The business profit model is competing on low price, lower cost, and high volume. I have used the term "commodity devices" to refer to this end of the spectrum.
Please note that some of the electrical components within the commodity devices will also be commodity electronics (e..g, resistors, USB connectors, NAND flash chips), where others will not be (e.g., SOC holding non-standard register interfaces to digital logic blocks).