From Models to Binaries: Where the Software Bill of Materials Fits in the Digital Thread
In brief: This article explains why an SBOM is more useful when it is treated as part of the engineering workflow, not only as a release-time compliance artifact. It looks at where SBOM fits from software architecture through binaries, how it depends on connected sources of truth, and why the surrounding digital thread determines whether teams can act on what the SBOM tells them.
- why SBOM is valuable, but limited, if it appears only at the end of the workflow;
- how earlier lifecycle context can make SBOM more useful for risk, change impact, verification, and release decisions;
- how system architecture, models, code, tests, Git, ALM, and PLM each contribute different sources of truth; and
- why the key question is not simply whether a team has an SBOM, but whether the engineering workflow makes it actionable.
Introduction
Over the past few years, I have heard more customers ask where a software bill of materials, or SBOM, fits in an engineered system. The question came up again recently at a conference, and I do not think it is just a cybersecurity or compliance question. It is also a lifecycle question.
At one level, the answer seems straightforward. An SBOM is a machine-readable inventory of the software components in a release. It helps teams understand what is in a product, assess potential vulnerability exposure, and communicate software content across the supply chain.
That is already valuable. But most engineering teams do not struggle to understand the core purpose of an SBOM. They struggle with the next question: when does an SBOM become truly useful for engineered systems?
Is it just a report produced near release time? Is it primarily a compliance artifact? Is it something security teams ask for after the software is already built? Or is it part of a broader engineering workflow that helps teams understand change, risk, and traceability throughout the lifecycle?
It can be all of those things. But treating SBOM only as an end-of-line document misses the more useful question: how can it help engineering teams make better decisions before and after release?

An SBOM Is Not Most Valuable at the End
If an SBOM appears only at the end of the workflow, its usefulness is limited. It may tell you what software components ended up in a delivered package, but it says little about how they got there, what changed between builds, or what evidence supports the result.
Like FMEA and other engineering analyses, an SBOM is more valuable when it informs decisions rather than merely records outcomes. A release-time report can satisfy a request. It does not always help a team understand what to do next.
If a vulnerability is disclosed, can you tell which product configurations, builds, or released binaries include the affected component? If a dependency changes, can you determine what needs to be rebuilt, retested, or reevaluated? If a software update is delivered into a regulated or safety-critical environment, can you trace that released binary back to the engineering artifacts, version history, and verification evidence that support it? Those are the conditions under which an SBOM starts to become useful rather than merely present.
The same idea applies before release. Once the software architecture begins to identify major components, services, libraries, third-party software, generated code, and supplier-delivered elements, an early SBOM can help teams reason about risk before implementation is frozen. It may influence component selection. It may shape supplier conversations. It may help security, licensing, and compliance teams see issues earlier.
The SBOM will still evolve as the product evolves, but that is the point. It becomes part of the engineering process, not just something produced at the end.
At the same time, compliance should not be understated. For many organizations, SBOM is not a nice-to-have. It is increasingly tied to cybersecurity expectations, software supply chain transparency, and regulatory obligations. Producing an SBOM can be essential for demonstrating what is in a release, assessing exposure, and supporting downstream reporting and audit needs.
Compliance is not secondary here. I would argue that it becomes stronger when the SBOM is connected to the engineering workflow that produced the software in the first place.
From Models to Binaries
Engineered systems do not move cleanly from a requirement to a binary. They move through a chain of artifacts, decisions, transformations, and evidence.
A system architecture defines the structure of the overall product and helps organize behavior, interfaces, and responsibilities across domains. From there, different parts of the system move through their own development processes. Mechanical, electrical, electronics, and software teams may each use different tools, review cycles, and release mechanisms. For software-intensive functions, including controls and other algorithms, that path continues through executable design models, source code, build pipelines, testing workflows, and released binaries.
Software architecture is where that progression starts to become concrete for the SBOM. It turns system intent into a software structure, identifying components, services, interfaces, dependencies, third-party elements, generated code, and supplier contributions that may eventually appear in the SBOM.
At that point, the SBOM is no longer only a release artifact. It can begin to reflect architectural intent and help teams evaluate risk, compliance, and verification implications before the software is packaged.
Most teams already have the artifacts. The harder part is keeping the relationships meaningful as the product changes. Architecture, design, code, tests, and release outputs may all exist, but the engineering value comes from preserving the relationships between them. When the product changes, teams need to understand what changed, what is impacted, and what evidence still holds.
An SBOM becomes most concrete during implementation and release. It tells you what software content is in the product as built. But its usefulness starts earlier when it can be tied back to the software architecture, models, code, dependencies, tests, and lifecycle systems that explain why those contents are there.
What Are the Authoritative Sources of Truth?
One reason this topic gets messy is that an engineered system rarely has a single authoritative source of truth for everything.
A system architecture may be authoritative for product structure, interfaces, and system-level intent. Domain-specific artifacts may then become authoritative within their own parts of the lifecycle: mechanical designs for mechanical development, electrical artifacts for electronics, and executable design models or source assets for software-intensive functions, including controls and other algorithms.
Git may be authoritative for versioned source history and change tracking. ALM may be authoritative for requirements, work items, defects, and software workflow execution. PLM may be authoritative for product configuration, release structure, and lifecycle state across the broader hardware-software product.
That distribution is normal in a complex engineered system. Different teams own different parts of the product definition because they are doing different work.
The system architecture sets intent and organizes the product at a high level. The different engineering domains then carry that intent through their own development processes. Later, those domain outputs have to be brought back together through integration, verification, configuration, release, and sustainment.
I think this is the key point: the question is not which source of truth should replace the others. The question is how those sources of truth stay connected well enough to support engineering decisions across the lifecycle.
That is where the digital thread earns its value. It connects authoritative artifacts without pretending they all collapse into one tool or one repository. Just as importantly, it connects the right versions of those artifacts, helping teams understand a coherent product configuration at a given point in the lifecycle. It helps teams move from local truth within a discipline to lifecycle understanding across the product.
The Role of Git, ALM, and PLM
It helps to be explicit about Git, ALM, PLM because these terms often get blurred together.
Git plays a critical role in versioned engineering assets, source history, branching, baselines, and collaborative software development. But Git is not PLM, and it is not meant to manage the full product lifecycle.
ALM sits closer to software execution. It manages requirements, work items, defects, traceability, and software delivery processes. It is related to PLM, but it serves a different purpose.
PLM remains important because product development does not stop at source code. Teams still need configuration control, release structure, lifecycle status, and coordination across hardware, software, manufacturing, and sustainment.
An SBOM does not replace any of these systems. It benefits from them. When an SBOM is generated in isolation, it can become a static inventory. When it is connected to Git history, ALM workflows, PLM context, model dependencies, and release processes, it becomes much more actionable.
It starts to answer not only what is in the software, but also where it came from, what changed, what it affects, and what evidence supports it.
That is also why compliance should not be treated as separate from engineering flow. In regulated environments, the quality of a compliance artifact is shaped by the quality of the lifecycle thread behind it. A stronger connection between engineering artifacts, change processes, and release evidence supports better compliance outcomes, not just better engineering efficiency.
More Than a Checkpoint on a List
It is worth being careful here. SBOM should not be reduced to a compliance checkpoint, even while recognizing that compliance is a major reason it matters.
Some teams need an SBOM to satisfy customer requirements. Others need it for software supply chain governance, cybersecurity review, or regulatory expectations around software content and dependencies.
But an SBOM becomes more useful when it also supports engineering decisions. It helps teams understand whether a released binary includes a vulnerable dependency, what changed between builds, how software content should be communicated across suppliers and product teams, and how release artifacts connect back to lifecycle context.
In stronger workflows, it can do even more. It can help teams connect software content to change impact, verification scope, and release confidence. It can help identify stale artifacts, impacted tests, and downstream consequences of modification.
That is a very different role from “generate a file and archive it.”
Where SBOM Fits in the Digital Thread
So where does SBOM fit?
It becomes most visible near release and deployment, but its usefulness depends on the upstream context that explains it. It is not the digital thread itself. It is one artifact within that thread.
In a strong workflow, the thread connects system intent, domain development artifacts, software assets, dependencies, tests, and release outputs. An SBOM then becomes a useful expression of what software content made it into the product at a given point in time.
If the surrounding thread is weak, the SBOM is harder to trust, interpret, and act on. If the surrounding thread is strong, the SBOM becomes a way to navigate back to the engineering decisions and evidence behind the release.
So the better question is not “Do we have an SBOM?”
It is “Can our engineering workflow make the SBOM actionable?”
An SBOM is not most valuable when it simply exists. It becomes valuable when it stays connected to the engineering artifacts, lifecycle systems, and verification evidence that explain what is in the product, why it is there, and what has changed. That is where SBOM fits in the digital thread.


コメント
コメントを残すには、ここ をクリックして MathWorks アカウントにサインインするか新しい MathWorks アカウントを作成します。