Validation and regulatory compliance of free/open source software - Open Source Software in Life Science Research

Biomedical Engineering Reference

In-Depth Information

state. This step should also include an initial assessment of the software

risk severity (see below) to determine what will be the appropriate scope

and rigour of the risk-based validation.

The answer to these questions will determine whether validation is

possible and whether it is still cost-effective to leverage an open source

solution. Assuming that this is the case, it is then necessary to determine

whether it is possible to leverage any validation support from the software

'supplier'.

21.4.2 Supplier assessment

There is a clear regulatory expectation to assess suppliers. Such

assessments (including audits) are potentially subject to regulatory

inspection (Eudralex Volume 4, Annex 11). Given the additional risks

associated with open source software, it is essential that such an

assessment is carefully planned, executed and documented. An overview

of the approach is presented in Figure 21.2.

In most cases with open source software there is no supplier to assess,

so a traditional supplier audit of a commercial supplier is out of the

question. It is, however, possible to assess the support available from the

open source community, even if this is not available on a contractual basis.

Key questions to consider and document the answers to include:

■ Is there a formal community supporting the software or is it just a

loose collection of individuals?

■ Does the community have any formal rules or charter that provide a

degree of assurance with respect to support for the software?

■ How mature is the software? How likely is it that the open source

community will remain interested in the development of the software

once the immediate development activities are complete?

■ What level of documentation is available within the community? How

up-to-date is the documentation compared to the software?

■ How does the community respond to identifi ed software bugs? Are

these fi xed in a timely manner and are the fi xes reliable?

■ What level of testing is undertaken by the community? Is this documented

and can it be relied upon in lieu of testing by the regulated company?

■ What level of involvement are we willing to play in the community?

Will we only leverage the software outputs, or actively support the

development?

Search WWH ::

Custom Search

Home