The Management of Configurations in the field of Safety and Cybersecurity

Reading time: 3 minutes - Difficulty: avanzato

If you are a manufacturer, and sometimes you have had difficulty with managing product configurations, it is because the regulations for functional security and cyber security expect Configuration Management requirements that are not easy to implement. Find out how to deal with the problem.

What is Configuration Management?

Configuration is a set of elements that are part of the project that allow you to have full control of the product and know the essence of development.

Configuration must at least show the following product information:

  • Hardware Version
  • Firmware version
  • Possible variants or options
  • Supplemental documentation, i.e. drawings, BOM, firmware codes, tests, specifications, manuals and anything else necessary for product development
  • Tools used for development and their version

 

What are the regulatory requirements for configuration management?

The requirements for the management of configurations are reported in several standards, including those relating to safety and cyber security:

  • IEC 61508, standard for functional safety of E/E/PE devices
  • ISO 26262, functional safety standard in the automotive industry
  • IEC 62443-4-1, OT cyber security standard dealing with product lifecycle management

 

One of the common principles among these regulations is to require full traceability of the development process, in reference to changes in the configuration of a product resulting from the development itself or from any market demands.

 

Read the article:

 

Why you need a configuration management system

The configuration management system aims to:

  • Ensure consistency between the requirements and the functional characteristics of project products and their performance
  • Manage the information on the system and any changes to be made with respect to the specifications agreed with the client in an integrated way

 

The further requirement of the aforementioned regulations is to be able to associate an exact configuration with an already operational product (for example through its Serial Number), and therefor see its entire history.

 

In summary, here are a few reasons why a standard may require proper configuration management:

  • it allows you to recall products for which a safety or security problem has been encountered
  • it allows you to create a history of the reliability and safety data of the products sold
  • it allows you to systematically track any changes to an existing configuration
  • you can correctly carry out impact analyses by allowing difference evaluations with respect to what has already been released in existing configurations
  • it allows the release of patches that deal with any firmware bugs that may compromise safety/security

 

Finally, regulations always require that configurations are released to define the modalities and responsibilities.

To ensure proper maintenance of the management system, periodic audits must therefore be carried out to verify the consistency of the configurations and ensure the continuous improvement of the functionality of the product.

 

Any questions or comments?

 

Share us your feedback

Do you want to help our page grow? Follow us on Linkedin

 

Go back to the blog
Send this to a friend