COTS is not a "fire and forget" approach

The economic benefits of Customised off the Shelf Solutions (COTS), over bespoke software solutions are well documented. COTS account for 35% of the IT portfolios for multinationals and up to 100% of the IT portfolios for small and medium sized enterprises. 

A major advantage of COTS is that they have no involved software development practices. These have been performed at an earlier time and consumers can quickly purchase a finished product. Justifiably, many consumers perceive that the typical risks and issues associated with a bespoke IT solution are eradicated. Unfortunately, this perception is a real problem that results in an increased risk of COTS implementation problems, validation headaches and even abandonment.

Some oversights associated with COTS include:

• What is the current set of COTS features and what features will be added and/or removed in future versions?
• Will there be an impact of the COTS product on existing system or systems, either manual or automated?
• Are there hidden defects that still exist in the COTS product?
• What level of compatibility is there with the current system?
• Will there be a need to customise a COTS candidate, or an existing system, to facilitate integration?
• What will the cost of the new releases be? What are the licencing costs? Are there hidden 3^rd party costs?
• What are the financial stability, capability reputation, support and trustworthiness of the vendor?
• What is the capability of vendor to assist in any validation activities? E.g. level of documentation, access to documentation, internal verification and validation approach, and so forth.

With a business and operational perception that there is less risk involved with a COTS product versus a bespoke product, COTS projects can be problematic for validation teams in terms of prolong project duration, issues found and quality confidence. 

With business and operational perception that COTS products are low risk and easy solutions there is often less demands placed on a supplier. 

• The black-box nature of COTS products forces consumers to rely on vendors claims.
• Vendor demonstrations are usually performed with well scripted examples that often steer the audience in an intended direction, with little scope to go off piste. COTS are built to be generic for common needs and may often be incomplete for unique needs for organisations.
• The description of a COTS product is often incomplete.

COTS selection and subsequent validation is a problematic area for many companies for a number of reasons: COTS perception, operational and business lack of focus, increased burden of validation teams, lack of adequate assessment (and even audit) of suppliers, process adjustment to suit the new tool and even COTS abandonment.

EmpowermentQE have witnessed countless examples of organisations implementing COTS solutions only for them to end up being abandoned or for organisations to change their own processes and procedures in order to fit COTS solutions. We have also witnessed the real pain of increased work load for validation teams in dealing with COTS products.

In the upcoming series we are going to take a look at some aspects of our Risk Based Approach for COTS identification, selection, verification and validation. We will provide keys aspects of our approach that will reduce the risk of COTS abandonment, consider functional and non-functional needs and ensure a comprehensive approach that will support the needs for validation teams to remain compliant and perform their tasks in a timely fashion. We aim to provide you with some key aspects that will allow to use in your workplace or at least think about.

Our COTS approach has been constructed from years within the wider software engineering community and from the regulatory industry. In the interim, please contact EmpowermentQE for more information.