@“Peter_Viscarola_(OSR)” said:
@craig_howard … weeeeellll, in theory, maybe.
In the real world, I have never… not once… found the “supply chain” for driver-related tools to have any vetting process at all. Our company has written, quite literally, many dozens of drivers for industrial, medical, and military devices. For vendors in the US and throughout the EU. Not once has a client or prime contractor told me what version of VS or the WDK to use. Haven’t even been asked or indicated that they cared (beyond something like “can I use VS 16.6 instead of 16.7, because I haven’t updated yet.”). Not once. Never happened.
Shit, dude….I’m writing a driver right now for an invasive piece of medical equipment. I update VS anytime I want. This client , who are tops at what they do and absolute leaders in their field, couldn’t care less if I use the WDK or the EWK. Why would they? They know medicine and hardware stuff. They don’t know Windows drivers. That’s what they pay US for.
Ah, @“Peter_Viscarola_(OSR)” , you’re living the dream! Me, I’m writing drivers to support class 2 medical devices, robotic control systems and drivers for custom hardware used by the govt and LE, all of which are covered under a little bit tighter guidelines than “we couldn’t care less”
For the FDA it’s [ https://daytontechguide.com/wp-content/uploads/2018/10/20-industry-requirements-for-medical-manufacturing-industry.pdf ]. The portion of the federal code that covers my stuff is 21 CFR 820.3(l), which requires manufacturers (that would be me, manufacturing something used in the overall medical device) establishing a “Quality System” (pg 13+). That QS is covered under ISO 13485, a massive tome [ https://www.iso.org/iso-13485-medical-devices.html ] of which I have to pay particular attention to clause 4.1.6 [ https://13485store.com/iso-13485-requirements/iso-13485-documentation-requirements/ ] which covers, among other things, the tools that I use in the production of the driver … that would be Visual Studio 2019 and it’s brethern
You probably missed it in my posting, but I never stated that the regulatory agency would specify the tool(s) I use … I specifically stated “As a result, Visual Studio needs to go through a submission process to each of these agencies which can take weeks at best, usually months” and most of that is spent satisfying clause 4.1.6 [ https://www.iso.org/obp/ui#iso:std:iso:13485:ed-3:v1:en ] by yours truly. Specifically,
_4.1.6 The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application.
The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.
Records of such activities shall be maintained (see 4.2.5).
Every single time a part of the toolchain changes, it’s a new submission of 4.1.6 stuff for me … that’s what I said in my original post, that’s what remains today and you’re really lucky that you aren’t running into that …
Robotic systems and systems which can affect human life are covered under a different part of federal code [ https://www.osha.gov/otm/section-4-safety-hazards/chapter-4 ], and essentially have the same reporting requirements of the class 2 medical device. The main difference between the FDA and the OSHA guidelines is that OSHA also requires you to make a risk assessment of the tools you use (which after the VS2019 “allocate and clear” function debacle y’all spotted is not quite the checkbox it used to be) which again requires lot’s of paperwork … all of which again needs to be redone for every single toolchain change.
_
Now, for US Govt military related work, there’s a nasty shitload of stupid stuff about where you can store your code and such and what security measures you take. But the tool chain itself? No. It’s simply not controlled.
You’re talking about SKIF rooms, which is something I don’t do since I don’t have the right clearances … but most military and LE organizations follow the guidelines in NIST 800.53 [ https://en.wikipedia.org/wiki/NIST_Special_Publication_800-53 ] as a baseline, most adding a few layers of paperwork such as NIST 800.171. The main thing here is becoming “NIST 800.53 compliant” which again entails validating what you’re using
And think about it. Who would control or vet this supply chain for industrial devices? The answer is “nobody.”
FDA controls the medical device supply chain very nicely, OSHA controls the industrial robotic device supply chain nicely, the various LE and govt agencies control their own supply chains. They are all quite capable and able to shut you down at a moment’s notice …
And the whole “go to prison” thing? Nah. No way. Not unless you lie on one of those terminally ridiculous audit forms that ask you about your security procedures. That is a federal offense.
Exactly … every single document you produce and submit to the FDA, to OSHA, to the various govt and LE agencies are covered under federal law and if things go south or during an ISO audio of the client someone thinks you are omitting something or lying about something you get a visit from the FBI. You have to be very careful about what you submit to the govt and what you say to investigators, just like with a tax return, to make sure it’s as accurate and as truthful as possible or you go away for a very long time.
If on the various forms you state “I use Visual Studio 2022 but I have no idea if it works or not, I just installed the update and started using it” you’re being truthful, but you won’t be doing any current or future business for the company. If you state “I use Visual Studio 2022 and I have carefully examined it and tested the programs it generates for both quality, suitability of purpose and generally accepted privacy and security guidelines” you’ll be allowed to continue your work, but you had better actually do that testing and be able to document it and that takes time and money … and again, for every single update …
To be honest I’m actually astonished that in all the work that OSR has done it’s never run into the vagarities of FDA class 2 medical, or OSHA robotics compliance, or the NIST hell-scape … you have truly lived a blessed life!
Peter