Date[ June 17, 1998] Recordnr[ ] Stored[ magazine, file- cabinet, composition Who[ J.McDermid Title[ The Cost of COTS Published[ IEEE Computer, June 1998, Vol31 No6, an interview Keywords[ COTS Comment[ Quite quite an interesting interview discussing general cost issues of COTS in contrast to bespoke (custom solutions), especially for safety- and reliability-critical system. The article is very critical towards COTS, mainly talks from a viewpoint of critical systems (process control systems, not information systems). Summary[ Promises of COTS: eliminate sfotware development project that overrun time and cost, greater ability to interoperate diverse systems, quickly evolve large systems, lower costs COTS nowadays: GUIs, operations systems, databases ==> mainly large components (and what about CERN-libraries, statistic tools etc.?) Risk mitigation: Problem: COTS are often build without a strict process and documentation control, no clear QA, and are delivered without appropriate documentation of the process, and without e.g. complete test-suites etc. (solutions: certification, using an escrow i.e. depositing the documentation at a bank for the case the company disappears). How to access the quality? - retrospective assessment is more expensive than assessing the software when developing it, if possible at all (code analysis) - each upgrade has to be assessed anew - software has not been written with the goal to access it (whereas bespoke for critical systems is structured and written in order to be accessed) - accessing needs also been done for all unwanted functionality (additional effort not necessary for bespoke) How to demonstrate the desired level of reliability, availability, integrity? - unwanted functions with dangerous side-effects How to control future of a COTS-component? - component can go out of business - new releases with unwanted functions - cost of upgrading - wrappers do not solve any of above problems Cost-tradeoff between COTS and bespoke: - price of purchase versus development - price of assessing quality of COTS to desired quality level - price of integrating COTS - price for upgrades, price for accessing upgrades, price for integrating upgrades - risk of vendor going out of business and expected life-time of system COTS can offer historical data for its quality (e.g. OS but not things like Microsoftword which get updates too often), bespoke has not historical data but you know what you are developing and can assess that.