If you are a manufacturer, and sometimes you have had difficulty with managing product configurations, it is because the regulations for functional security and cyber security expect Configuration Management requirements that are not easy to implement. Find out how to deal with the problem.
What is Configuration Management?
Configuration is a set of elements that are part of the project that allow you to have full control of the product and know the essence of development.
Configuration must at least show the following product information:
- Hardware Version
- Firmware version
- Possible variants or options
- Supplemental documentation, i.e. drawings, BOM, firmware codes, tests, specifications, manuals and anything else necessary for product development
- Tools used for development and their version
What are the regulatory requirements for configuration management?
The requirements for the management of configurations are reported in several standards, including those relating to safety and cyber security:
- IEC 61508, standard for functional safety of E/E/PE devices
- ISO 26262, functional safety standard in the automotive industry
- IEC 62443-4-1, OT cyber security standard dealing with product lifecycle management
One of the common principles among these regulations is to require full traceability of the development process, in reference to changes in the configuration of a product resulting from the development itself or from any market demands.
Read the article3 Questions about the Future of Functional Safety
Why you need a configuration management system
The configuration management system aims to:
- Ensure consistency between the requirements and the functional characteristics of project products and their performance
- Manage the information on the system and any changes to be made with respect to the specifications agreed with the client in an integrated way
The further requirement of the aforementioned regulations is to be able to associate an exact configuration with an already operational product (for example through its Serial Number), and therefor see its entire history.
In summary, here are a few reasons why a standard may require proper configuration management:
- it allows you to recall products for which a safety or security problem has been encountered
- it allows you to create a history of the reliability and safety data of the products sold
- it allows you to systematically track any changes to an existing configuration
- you can correctly carry out impact analyses by allowing difference evaluations with respect to what has already been released in existing configurations
- it allows the release of patches that deal with any firmware bugs that may compromise safety/security
Finally, regulations always require that configurations are released to define the modalities and responsibilities.
To ensure proper maintenance of the management system, periodic audits must therefore be carried out to verify the consistency of the configurations and ensure the continuous improvement of the functionality of the product.