Independent Compliance Assessment

Further Enabling OpenChain Self-Certification

for Entities of all Sizes

Situation

There are two kinds of certification for OpenChain Conformance available:

• Self-Certification
• 3rd Party Certification by TÜV SÜD

​

Challenges(s)

• Self-Certification does not fulfill the requirements of all parties within the software supply chain
• 3rd Party Certification can be eyed skeptically in some domains, e.g. the automotive industry
• Single Vendor for 3rd Party Certification
• vendor lock in possible
• values of certificates usually rise with the number of certificates around
• limited opportunity for purchasing engagement in big corporations with just one vendor
• No assessor community like with e.g. A-SPICE, functional safety etc. to get a common way of doing independent assessments/certifications
• competition usually drives innovation
• limited number of evangelists driving the idea of independent assessments/certifications

Solution - Independent Compliance Assessment (ICA)

approval pattern taken from ISO 26262-2:2018

Table 1 - Required Confirmation Measures, including the required level of independence

​

​

​

​

Best practice : Assessment activities performed by an independent party, the Independent Safety Assessor (ISA), are input of the internal approval process, e.g. management decides to sign the release approval with considering the assessment report

​

Solution - Independent Compliance Assessment (ICA)

• assessment and certification taks are split (see following slides)
• assessment activities are done by independent assessors
• assessment output can be input for internal activities
• quality assurance process
• release approval
• Self-Certification

Example process from the automotive domain: Safety approval is given by an internal safety manager based on the results of a safety assessment. For certain kinds of product developments (new, mission critical etc), an external independent safety assessment must be performed. For product developments considered less critical, the internal QA department is responsible for the safety assessment.

​

Advantages of the ICA

• “Independence of the Independence”
• no vendor lock-in to certification authority
• management can consider the assessment result, but still make own decision
• Easier growth of assessment community then of certification bodies
• workaround for the resource limitations every test house faces
• easier for purchasing departments, as they can (theoretically) get more quotations
• Outsourcing of OpenChain related QA activities
• possibility of long term support by independent assessors without need for certification
• internal re-usability of the assessment results

Tasks for certification

Planning

Define scope & setup certification project

Assessment Phase

Audits and offline Reviews

Reporting of Results

Issue

Certificate

Results of the tasks

Planning

Define scope & setup certification project

Assessment Phase

Audits and offline Reviews

Reporting of Results

Issue

Certificate

Plan

Checklists, Review Protocols

Assessment Report

Certificate

Separation of tasks responsibilities

Planning

Define scope & setup certification project

Assessment Phase

Audits and offline Reviews

Reporting of Results

Issue

Certificate

Plan

Checklists, Review Protocols

Assessment Report

Certificate

Activities done by an independent party

Solution - results of the work packages

Planning

Define scope & setup certification project

Assessment Phase

Audits and offline Reviews

Reporting of Results

Issue

Certificate

Plan

Checklists, Review Protocols

Assessment Report

Certificate

Activities done by an independent party

Assessment Report - Input for certification

Assessment

Report

​

​

ok

Internal approval process

• release approval
• management level reporting
• OpenChain Self-Certification

3rd party certification:

• certificate
• marketing advantage

Things to discuss

• Who is an independent assessor?
• qualification?
• accreditation?
• Do we need standardized format of assessment output?
• minimum set of assessment tasks
• obligatory information set in the assessment report
• Who can give accreditation?
• for independent assessors / assessment entities
• for ensuring constant quality of assessments
• If this approach is considered - do we need a work team within OpenChain?
• would be great to have an active assessor community similar to the communities that have grown around A-SPICE, CMMI and functional safety