Industrial Strength Open Source Code?

dnnrly asks: "I work for a company that writes software for the pharmaceutical industry. We have to work in quite a tight regulatory environment because some of our code ends up in the process of drug testing. Seeing as the FDA are quite picky about making sure that there can be no errors in testing new drugs, our clients have strict rules that we must follow for coding. We have to review all of the code that is written, making sure that everything is traceable to a design specification. Where we use 3rd party software/code we have to make sure that it comes from an ISO9000 source. This is a bit of a problem when we would like to use open source stuff in our code. Projects like log4net and NUnit would be tremendously useful in our code but we're not allowed to use them because they don't tick the right boxes. Now, *I* know that these projects (and others) are incredibly stable just because of the volume of use that they have seen but that isn't enough for some people. How can we certify such software?"

Import it into your own code base, and review it.

[ankhcraft]

Simply import it into your own code base, and then review it as if it was written internally. Basically, learn it inside out, as if you wrote it yourself. If that is not legally sufficient, then the laws need to be rewritten since the lines they would be attempting to delineate would at this point be completely imaginary. It doesn't matter whose head it originates from, what matters is that it is fully reviewed and completely understood to the point where everyone on your team is prepared to stand behind the entire body of code. If that confidence comes from actual understand, it becomes irrelevant who wrote the code in the first place. How would it be any different if, instead, it was code written by somebody who no longer works at the company.

Fork it?

[rolfwind]

I'm not familiar with this software nor their licenses, but can't you just take a build of their software, fork it off as your own build and start treating it as internally made software? The greatest expense would be then certifying that first build.

What ISO9000 really means

[hacker]

ISO9000 means one thing:

Our process sucks, but its well-documented.

This isn't as easy as it sounds.

[jd]

I've been told by bosses when working for the DoD that although the code I wanted to use was indeed audited, FIPS-compliant and published by the DoD themselves, it wasn't on an approved list of certified FIPS-compliant software so wasn't acceptable. When I asked how something the DoD wrote and published as an official DoD application could possibly not be acceptable for use by the DoD, I was told that procedures were procedures and had to be followed. The fact that it was GOTS and written by the people who do the certifying was of no consequence.

So, don't imagine that this is going to be an easy one. Open Source projects by IBM might be easier to get past the Great And All-Seeing (but definitely not all-knowing) Pointy Haired Bosses - at least some will be familiar with the phrase "nobody ever got sacked for buying IBM" and may even still believe that. Some of the Apache projects might be workable, provided you use the line of reasoning that since Apache is listed on IBM's website as a project they are working on, it is covered by the "nobody ever got sacked for buying IBM". You don't have to tell them that IBM is only one member of a large consortium, and it might be better not to.

Some projects were connected to IBM and other major corporations but are now independent. Postfix is an example of that. I believe evlog (Enterprise-grade event logging for Linux) is also such a project. Speaking of evlog, I would DEFINITELY suggest using it in any commercial or Government setting. It's not that good and Linux has plenty of other security, but "Enterprise-grade logging" is mandatory in many cases and this provides it. It ticks the right box, even if it doesn't do a whole lot more for you. It's a pure CYA and nothing more.

ISO 9000 (or later) compliance is probably the toughest requirement, as it stipulates documenting the process and activities, where the level of documentation depends on how critical the project is, and Open Source projects have neither that type of documentation or any real concept of criticalness as components are freely reusable. Your best bet is to work through vendors that are themselves ISO 900x certified AND supply either the Open Source OR the links to those projects, then argue that by documenting the use of a project that comes from an ISO 900x certified source, you inherit the certification indirectly. Some bosses will buy that easier than others and depending on the structure of the organization, you may have flexibility on who you present the case to. If so, shop.

The starving programmer? A myth.

[Colin+Smith]

It is truly inpspiring that so many can work together so well towards a common goal, and it is truly stunning to take in the vast amount of software available which is written pretty much completely philanthropically.

Philanthropically? Um. no. Free and Open Source software is written because the author needs it. They requre the use of it. By allowing others to use it, the author loses nothing, they are not losing their time because they needed the software in the first place and the effort to copy it is negligible.

Writing Free and Open Source software is just as selfish as any other act. Software which is written with high ideals, for the betterment of man will not succeed because it isn't fulfilling a need.

But the problem is that few actually get paid to do this, it is done in spare time.

Simply not true. A huge amount of free and open source development work is performed by staff developers who are writing software which their organisations need.

Software is called soft because it's maleable, it can be moulded to fit the needs of the users. It's highly unlikely that any piece of software would exactly fit the needs of all users so there is a market out there for the customisation of almost all software, with free and open source software it's particularly easy, there is a market for customisation, service, support.

If you are a developer thinking of creating software for the benefit of mankind or the open source movement... Think again, there's enough abandonware out there already. Do it because you need it.

p.s. Free and Open Source software isn't having any trouble at all competing, it's filling niches left right and centre, though you may not see it filling your niche right now.

Re:ISO 9000

[Monkelectric]

I think ISO 9k is an industry scam. I worked for a company which had no process whatsoever -- literally none. When a new piece of software needed to be written -- someone would walk into your office and say, "I need something to do X" That *WAS* the entire software process. No requirements, no architect, no analysis, no test plan, no documentation, no testing, nothing.

We were 9k certified.

Re:Open Source and ISo 9000

[mabhatter654]

A Distro or individual project could get certified if they put the work into it.. it could even be a selling feature. I'd expect Suse and Red Hat already have something in place to satisfy these requirements as they deal in large enterprise installs already. OSS and ISO really do go hand-in-hand, but hackers tend to like to do things their way... and ISO is all about following instructions. Still, it could be a neat project to provide ISO, Sox, HIPAA, etc. testing to OSS projects in some fashion that was non-disruptive to the fun stuff. It could be something Google Code or Sourceforge add to their hosting solutions.

Re:You're right, it's budget

[mrchaotica]

Candidate 3 Interview Excerpt: "I put in a new system X that would have cost $20 million, except I used Free Software and did it for only $1 million instead." "How successfull was it?" "Oh, extremely -- and I saved the company $19 million!"

In other words, calculate the cost of doing it the stupid way and then frame the discussion in terms of the amount of money you saved rather than the amount of money you spent.

Re:ISO 9000

[NateTech]

ISO 9000 is a documentation process, not a quality process. People don't seem to get that, and the marketing spin around it for years has not exactly made that very clear.

One of the engineers at work keeps a photograph of the Firestone plant that produced all the deadly, defective tires for Ford.

The photo shows clearly:
- The plant was shut down and closed.
- The plant has a large "ISO 9000 Certified" sign on the entrance sign.

ISO 9000 just means that you documented your procedures and you can verify and prove that you followed them. It does not tell you whether or not they're smart, safe, profitable, or anything else about your business.

In other words: ISO 9000 forces a company to document what they're doing, but can't save the idiots from doing the wrong things.

Re:Import it into your own code base, and review i

[real+gumby]

dnnrly: ankhcraft has it right (see below for my credentials for why I say this). Your customers are presumably operating under GMP and/or GLP (the pharmaceutical equivalent of ISO9000 and which is all described in CFR Title 21). They need a basis for your attestation as to the function and performance of the product you provide. Your using vendors claiming to adhere to ISO 9000 is really just a (reasonable!) way for you to not do as much cross-checking on their execution. If you import the software package and review it you can then make whatever performance claims you feel comfortable making -- probably far more robust ones than you could about most of your other outside vendors!

Don't forget that you do have to do all these checks. As a pharma manufacturer I tell the FDA that I rely on CoAs from my vendors, but I rely on them only by getting samples from them, cross-checking their work, and then also cross-checking that on the raw materials that are actually used in manufacturing. And I check during the manufacturing process and after manufacture as well just in case!

But you can't reasonably do all this for, say, a whole O/S. It's just too big and too complicated. This is why you'll see medical systems (or avionics) running on LynxOS or Green Hills' OS rather than standard Linux, ITRON or eCos (though eCos is small enough that you could probably review it yourself too). Regretfully, some are starting to ship with Windows which I am sure has not been subject to the equivalent review.

So why am I so confident in saying this?

• I am currently in the pharma business and running under GMP right now myself so am painfully aware of what it requires.
• I've previously (in previous companies) had plenty of customers who themselves run under ISO 9000 (in telecom, avionics, automotive systems, medical devices, military etc) and so know what they demand of themselves and of their vendors (e.g: downtime requirements of less than 3 minutes per decade)
• I was a cofounder of the first free software (we predated the term "Open Source") business, Cygnus Support, where we had those ISO 9000 customers and satisfied them.
• you're not my company. You'll have to cross-check my suggestions yourself.

In other words I'm probably the only person on the planet who's been under GMP, under software ISO9000 and also been a free software developer.