Software Bill of Materials improves Intellectual Property management

Embedded Computing Design — March 23, 2009

Accurate record keeping and proper Intellectual Property (IP) management enhances embedded system development throughout the design chain and ensures more effective product life-cycle support.

Software has become a ubiquitous part of cell phones, cameras, computers, and other mass-distributed consumer products. This pervasiveness can hinder embedded system developers given that software development costs sometimes outweigh those of hardware development, and product support issues are more often related to software rather than hardware problems.

However, embedded developers can reduce software development costs and schedules through software reuse, reliance on third-party code, and increasingly, open source code. Indeed, companies rarely create all of the software in their products. Much of the code is independently developed by the sources mentioned and then integrated into the final product with various degrees of value added throughout the development cycle. The cell phone example illustrated in Figure 1 demonstrates this integration and value-add process.

Figure 1 | The software code in a cell phone is provided by multiple parties involved in the product development cycle.

The cell phone combines software developed by the manufacturer and outsourced developers as well as the software that comes with the chipsets, which are typically developed in-house or acquired from third parties or open source directly or through various layers of chained suppliers.

An end product – in this case, the cell phone – is thus the sum of the code provided by the many organizations and individuals involved in the overall cell phone software supply chain. However, an end product rarely provides a complete and up-to-date view of all of these contributors and their respective software components. This can lead to increased costs, delayed schedules, and significant business risks if any of the software components do not meet proper IP and copyright obligations or if they have to be corrected once the product reaches the market. Imagine that a security fault is discovered in the protocol stack supplied by one of the players. Not only would it be difficult to ascertain which of thousands of products are affected, it would also be extremely tedious and costly to find a solution and correct the problem.

These issues would not exist if the software code came with proper records and pedigrees for all of its components. Few companies have managed to capture and deliver a software Bill of Materials (BOM) because until recently, most methods for determining what is in the code and ensuring correct IP management were retrospective; companies used either cumbersome manual audits or expensive tools for automatic code analysis. Such after-the-fact corrective methods can result in costly redesigns and delays in product availability.

Automatic tools check code history

Embedded developers can avoid these problems by adopting real-time record gathering and preventive IP management processes. To accomplish this, companies must set acceptable software adoption and IP policies and use newly released automatic tools to analyze, record, and compliance-check legacy code as well as any new code brought into the project.

Good software development practices have evolved to include systems for checking syntax, managing software versions, and tracking software bugs. Nonetheless, certain disciplines that are accepted practice in structured hardware development have yet to be adopted in software development:

  • An approved vendor list that contains the approved components and licenses, including commercial terms, vendor history, versions, and pricing so that a developer can select components from the list without concern
  • Automatic notification when someone tries to use code with unapproved licenses or code modules governed by incompatible licenses
  • A BOM that fully records which components are used in the final product, including details to enable production, determine costs, identify where it can be exported, and track vendor upgrades and other post-design activities

The best approach is to make record keeping and source code IP management an integral part of the software development and quality assurance processes.

Automatic tools are now available to handle these tasks in an unobtrusive manner and with minimal training, enabling project managers to define appropriate policies for record keeping, source code adoption, and IP management. For example, tools like Protecode’s Enterprise IP Analyzer can be applied to existing (legacy) code for establishing an up-to-date map of its components and their pedigrees. Another tool, the Development IP Assistant, is integrated within specific development environments, where it operates unobtrusively in the background at each development workstation to detect, log, and identify in real time each piece of code brought by the developer into the respective project.

These tools check the attributes of each piece of code against the adoption and IP management policy for the project and take appropriate action according to the established policy. Furthermore, these tools provide a software BOM that enables developers and clients throughout the embedded system design chain to be fully cognizant of what is in the code and how to address support issues effectively.

Applying real-time record keeping and preventive IP management reduces development costs, avoids wasted resources in after-the-fact corrective activities, shortens development cycles, and enhances the overall lifelong value of embedded software systems.

Sorin Cohn-Sfetcu works in the marketing department at Protecode. He has 30 years of international business and technology experience and holds several patents in Web services, wireless, and digital signal processing. Sorin has an MSc in Physics from the University of Calgary, an MEng in Engineering Physics from the Polytechnic Institute of Bucharest, and a PhD in Electrical Engineering from McMaster University in Canada.

Mahshad Koohgoli is the CEO of Protecode, based in Ottawa, Ontario, Canada. He has more than 25 years of experience in the telecommunications industry and specializes in technology start-up businesses. Mahshad has a BSc and a PhD in Stochastic Control Processes from the University of Sussex, England.


Sorin: 613-301-0066

Mahshad: 613-721-5936