Question on Open Source Software Tools (CVS Bugzilla)

There is a thread already on open source embedded software and I have a similar question on the use of open source tools such as CVS and Bugzilla.

There is a start-up medical device company asking me about whether they can use the likes of CVS and Bugzilla for managing the software they are developing. My first opinion was yes providing you validate them for their intended use, but this would probably be a bigger task than if they bought commercial OTS products.

Does anyone have any experience using the likes of CVS and Bugzilla in a FDA regulated environment?

Very interesting question swqual, I think you have answered the question yourself.

Would the task of validating this software be worth the time, effort and expense rather than using a COTS.

Dont get me wrong I think open source software is great, in fact I used it for this website, but this website is not involved in manufacturing medical devices or software. I think its a case of the right tool for the right job.

As far as my expereince goes I have never seen open source software used in a regulated environment because its just too risky.

Where do you go for support (Can you really tell an auditor that you are using forums for support) you need to have a vendor contract in place in case anything goes wrong.

How can you perform a venor audit?

My advice stay clear of open source in regulated environments its just too risky.

Interested to hear more opinions or if anyone has used open sourced software in a regulated environment.

I really want to look at this. I know Bugzilla is used by MasterControl (GMP software provider). They may use CVS too, I’m not certain. A lot of the software is quite mature. I think the documentation may be lacking and there is no one to audit. So the risk assessment must define the testing required.

But I see no reason to not use open source in regulated environment, most of us can validate anything. Trade the cost of software and licensing for validating for use.

I agree with you meyert, for certain projects open source software would be great.

But what happens if something goes wrong, and trying to get by in from the powers that be might be very difficult.

Its definietly a grey area.

Would a regulated company use an open source application for a document management system, I think not.

I suppose it does depend on what it is to be used for, the level of support and the maturity of the software.

You could also argue the level of support from some forums would actually be better than the vendors support anyway!

Typically, you hire a company to help implement your software. I wonder, if you put them on the hook for support and updates, I think that may satisfy the requirements. I really don’t see the Pfizers or GSKs using open source, more like some small firm with limited capital. Heck, they may even use one of the Linux desktops.

We use CVS and are looking at using Bugzilla on a project just getting started. We have not been questioned as to the choice or management of CVS. Note that once a problem is resolved, we print a hard copy of the report and file it in a binder. This becomes the record, not the electronic copy. A bit of a regulatory dance, but it seems to be acceptable so far.

So I’m in complete agreement with meyert in that a) most open source software is quite mature and b) it can be validated. When faced with validating open source software, we basically treat it as our own. No vendor audit and we cobble together some high-level requirements on which we base our validation.

I have not seen that commercial apps are exempt from validation. They may come with some validation packages to ease the burden, but if you’re using software to support regulated activities, I’ve typically seen that it needs to be validated.

Hi yodon,

I dont disagree with Meyert and I take your opinions on board

All commerical software in this area must be validated, the degree of validation depending on your risk assessment, I was not disputing that.

Thanks for the feedback guys. I guess the key factor is the level of validation required for a COTS vs an Open Source system and balancing the costs of purchase, validation and ongoing maintenance.

Thinking about this today it ocurred to me that the main potential issue with Open Source software is the future maintenance of the system, e.g. s/w patches and upgrades, and the support of these systems for Microsoft Operating System patches.

In the case of the COTS product, you will have these from the vendor as part of a maintenance agreement, but in the case of Open Source the onus will be mainly on the user and this adds to the maintenance overhead.

My clients are a small start up company developing a software based medical device product and won’t really have the manpower resources to dedicate to the initial validation and ongoing maintenance of an Open Source system, so I’m going to recommend that they go with a COTS product for configuration management and bug tracking that is appropriate to their needs and size, which will make the initial validation work more manageable.

Anyone have any opinions on SourceSafe or PVCS, or recommend any other Windows based CM product? ClearCase is excellent, but complicated.

Where are you/your clients located? oh and check out the Part 11 group on Yahoo. There are a couple of threads on open source.

Based in Ireland. I’ll check out the part 11 group on yahoo.