The world is much more connected than you think. Our connections go much beyond your everyday social network posts, text messages, and emails. The products we use every day are the major source of connectivity. The products we use are smart (sometimes too smart) and filled with components and systems that are capable of connecting to each other and actually do every day every time for different purposes. Back in the days, Ford was making its model T at River Rouge Complex, which was making everything from steel, glass, rubber to automobiles. Now the manufacturing has changed. Companies are making products using multiple tiers of suppliers and contractors manufacturing modules, units, and components. Some of these components are visible mechanical and electronic devices and some of them are just pieces of software embedded inside of existing products and devices.
The importance of traceability was always a big deal for manufacturing companies. How to trace the usage of components and parts used by multiple suppliers? It is a big problem by itself. But the problem is just getting bigger with a big amount of embedded software components that are hard to track and trace. The responsibility the traceability is generally on OEM manufacturers that have to disclose usage of different materials and components. Now, it must also cover software.
One of my friends shared with me a POLITICO article, which speaks about BlackBerry and their resistance to disclose a major flaw in QNX software, which is powering cars and hospital equipment. Check this out here. The problem is big and painful. Here is an interesting passage.
The back-and-forth between BlackBerry and the government highlights a major difficulty in fending off cyberattacks on increasingly internet-connected devices ranging from robotic vacuum cleaners to wastewater-plant management systems. When companies such as BlackBerry sell their software to equipment manufacturers, they rarely provide detailed records of the code that goes into the software — leaving hardware makers, their customers, and the government in the dark about where the biggest risks lie.
The problem made me think again about the software Bill of Materials. Read my story in this article to understand that the problem of software traceability in hardware devices is super old and goes back to some of the most famous failures in manufacturing industries. But here is the thing – 20 years ago, the problem was hitting several high-profile manufacturers of cellular phones and super complex equipment. These days, the problem is everywhere, because you can barely find a single pure mechanical device and piece of equipment these days.
Here is another passage from the POLITICO article that explains that…
… BlackBerry licenses QNX to “original equipment manufacturers,” which in turn use it to build products and devices for their customers, just as Microsoft sells its Windows operating system to HP, Dell and other computer makers. BlackBerry told the government it doesn’t know where its software ends up, and the people using it don’t know where it came from. Its known customers are a comparatively small group.
So, what can solve the problem? The problem is big enough to be raised to the level of government and regulation entities. The problem has been known for years and the need for SBOM (Software BOM) is clear.
For years, the Commerce Department’s National Telecommunications and Information Administration has been convening industry representatives to develop the foundation for this kind of digital ingredient list, known as a “software bill of materials.” In July, NTIA published guidance on the minimum elements needed for an SBOM, following a directive from President Joe Biden’s cybersecurity executive order.
Creating a way to disclose the ingredient list is not an easy task. The challenge of companies to publish it openly will help hackers and also impact company businesses. How do find a way to create a digital ingredient library, secured and shareable at the same time? This is a challenge and opportunity for companies. The solution for this problem lies in the combination of modern data management technologies, analytics to provide traceable query mechanisms combined with regulation and safety mechanisms to prevent bad guys from leveraging it.
Existing old PLM systems are not good candidates because most of them are tied to MCAD structures and are not capable of managing software. Modern multi-tenant PLM and BOM management systems capable of holding multi-disciplinary data structures can be good candidates to solve the problem. The multi-tenancy will play a big role here as it will allow us to share data between multiple tiers of suppliers, contractors and discover relationships that are not visible to each company and suppliers. Such services can become a foundation for solutions to solve the problem of software BOM traceability.
What is my conclusion?
Software BOM is a big problem in modern manufacturing companies. The complexity of products is growing and every modern product requires a multidisciplinary BOM management system to include a full digital recipe of what is included there. PLM vendors are moving in the direction to provide better software management tools. But the effort is mostly about how to deliver ALM systems. While this is a good start, it doesn’t answer the question of how to have an open digital library with access to all ingredients. Such a library must be secured, but at the same time provides information about what is actually included in each product can change the way software and hardware traceability is happening today. This is an important topic and question for government regulators, PLM architects, and security-minded people. Just my thoughts…
Disclaimer: I’m co-founder and CEO of OpenBOM developing a digital network-based platform that manages product data and connects manufacturers, construction companies, and their supply chain networks. My opinion can be unintentionally biased.