Industrial Strength Open Source Code?
dnnrly asks: "I work for a company that writes software for the pharmaceutical industry. We have to work in quite a tight regulatory environment because some of our code ends up in the process of drug testing. Seeing as the FDA are quite picky about making sure that there can be no errors in testing new drugs, our clients have strict rules that we must follow for coding. We have to review all of the code that is written, making sure that everything is traceable to a design specification. Where we use 3rd party software/code we have to make sure that it comes from an ISO9000 source. This is a bit of a problem when we would like to use open source stuff in our code. Projects like log4net and NUnit would be tremendously useful in our code but we're not allowed to use them because they don't tick the right boxes. Now, *I* know that these projects (and others) are incredibly stable just because of the volume of use that they have seen but that isn't enough for some people. How can we certify such software?"
I work as a software engineer for a company that manufactures an FDA approved medical device. We are ISO certified as well (for design and manufacturing). There are no restrictions on using open source software for FDA medically approved devices. We use Linux on our embedded single board computers, several of the boost libraries, and many more open source libraries. If you have restrictions using open source in your workplace it is most likely because your ISO certified design process limits open source use. The design process is defined by your company and certfied by TUV auditors for ISO compliance. The actual ISO 9001 documents that specify what is required for an ISO certified medical company is actually very light. Oftentimes companies make additional restrictions upon themselves for their ISO certified design process (usually some dipstick with an MBA and no engineering sense whatsoever, but doesn't realize it). For example, if someone (let's assume the dipstick MBA) at your company stated in your design process (prior to the initial ISO certification) that open source code cannot be used and the ISO auditors certified your design process with that exclusion, then your company is bound to that limitation (even though the FDA or ISO standards don't limit open source use). Bummer eh? Good luck. It's a shame you have to deal with those restrictions.