Thanks again for the detailed feedback @stevespringett . Based on your comments, a more focused proposal is a Safety Integrity Classification (SIC) that complements the existing 2.0 risk, perspective, and criticality constructs rather than introducing separate safety metadata.
Motivation
CycloneDX 2.0 already provides:
- Safety and societal impact categories
- Safety-oriented domains
- Component-to-risk relationships
- VEX integration
- Criticality and asset classifications
What appears to be missing is a machine-readable abstraction for expressing safety integrity levels across industries.
Goal
Provide a normalized classification that can represent industry-specific safety assurance schemes while remaining attached to existing CycloneDX constructs.
Examples include:
| Domain |
Standard |
Classification |
| Automotive |
ISO 26262 |
ASIL A-D |
| Industrial |
IEC 61508 |
SIL 1-4 |
| Aviation |
DO-178C |
DAL A-E |
| Medical |
IEC 62304 |
Class A-C |
| Rail |
EN 5012x |
SIL mappings |
A normalized abstraction could look like:
safetyIntegrity:
classification:
scheme: ISO26262
level: ASIL-D
normalizedLevel:
HIGHor
safetyIntegrity:
classification:
scheme: IEC61508
level: SIL-3
normalizedLevel:
HIGHIntegration with Existing 2.0 Constructs
Rather than existing independently, safetyIntegrity would attach to existing constructs such as:
- assetClassification
- risk
- blueprint
- component
For example:
component:
name: brake-controller
assetClassification:
criticality: critical
safetyIntegrity:
classification:
scheme: ISO26262
level: ASIL-D
risk:
domain:
automotive-safety
impact:
physical
relatedVulnerabilities:
- CVE-XXXX
vex:
state: affectedThis enables downstream tooling and policy engines to reason about safety context.
Example:
if safetyIntegrity.normalizedLevel >= HIGH
and vex.state == affected
then priority = immediate
I think this preserves the existing CycloneDX 2.0 design while introducing a common abstraction for safety assurance levels across domains. Interested to hear whether this direction aligns with the 2.0 roadmap.
Thanks again for the detailed feedback @stevespringett . Based on your comments, a more focused proposal is a Safety Integrity Classification (SIC) that complements the existing 2.0 risk, perspective, and criticality constructs rather than introducing separate safety metadata.
Motivation
CycloneDX 2.0 already provides:
What appears to be missing is a machine-readable abstraction for expressing safety integrity levels across industries.
Goal
Provide a normalized classification that can represent industry-specific safety assurance schemes while remaining attached to existing CycloneDX constructs.
Examples include:
A normalized abstraction could look like:
or
Integration with Existing 2.0 Constructs
Rather than existing independently,
safetyIntegritywould attach to existing constructs such as:For example:
This enables downstream tooling and policy engines to reason about safety context.
Example:
I think this preserves the existing CycloneDX 2.0 design while introducing a common abstraction for safety assurance levels across domains. Interested to hear whether this direction aligns with the 2.0 roadmap.