Validation and regulatory compliance of free/open source software - Open Source Software in Life Science Research

Biomedical Engineering Reference

In-Depth Information

The open source community includes developers with widely varying

experience. At one end there are professional software developers

choosing to apply formal methods to the open source platform, and at

the other are 'amateurs', developing software on a trial and error basis in

their spare time, with little or no formal training and with little or no

documentation.

Although all parties can make an active and valuable contribution to

the development of open source software, there are inherent risks

when regulatory signifi cant applications are developed by those not

formally trained in good software development practices. These risks

may include:

■ requirements are not fully understood, defi ned or documented, making

it impossible to validate the software;

■ the developed functionality may not fulfi l the requirements due to

poor specifi cation and design;

■ code may be excessively error-prone and ineffi cient;

■ important non-functional requirements may be missed, such as user

authentication and secure password management, data security and

data integrity;

■ errors may not be identifi ed due to insuffi cient or inappropriate testing.

Actual examples of 'bad practices' encountered in open source software

developed in this way include:

■ failure to provide even basic user authentication in a web application

accessing clinical trial data, allowing anyone with the URL to view

personally identifi able health information;

■ the storage of user IDs and passwords in an unprotected, unencrypted

fi le;

■ the ability of a laboratory data capture routine to enter an infi nite wait

state with no timeout mechanism and no way of halting the program

by normal means;

■ the ability for any user to access and change analytical data processed

by an open source bioinformatics toolkit;

■ complete lack of error handling at the applications level in a statistical

program, allowing a 'divide by zero' error to halt the program with no

indication of the problem.

Although it is possible that part-time, untrained developers can develop

software that can be validated, this requires an understanding of both

Search WWH ::

Custom Search

Home