[R] R Software Risk Analysis

[Marc Schwartz]

Hi All,

We need to get clarification from Kristin as to what kinds of issues are raised in the context of a risk analysis from her IT people.

Since Kristin's wording indicated:

  "...all programs that our employees/providers use must be vetted through the IT Department by way of a Risk Analysis."

that tells me that the risk analysis is *not* in reference to a software validation in the FDA sense of regulated clinical trials, not to mention that such validation is entirely on the end user, and not on the software publisher, in either case.

To reference various FDA related materials, such as the current R FDA guidance document and the 2015 FDA statistical software clarifying statement are not likely to be helpful here, and I say that as one of the co-authors of the R FDA document, along with Frank Harrell, Tony Rossini and Ian Francis. 

The general use by all employees context that Kristin references also suggests that one of the commercial vendors of R may or may not be helpful here either, unless they specifically provide consulting services and/or documentation to support their implementation of R and how it would conform to Kristin's IT department requirements, and not for use in an FDA-like trials setting.

For a general IT risk analysis, there is likely to be some kind of check-list or form that is required, and it will likely have questions such as:

1. Can R access operating system level commands - Yes

2. Can R access a local or remote file system, to create/read/delete files and folders - Yes

3. Can R access the internet to read remote locations and download files from servers - Yes

4. Can R alter operating system environment variables - Yes

5. Does the R installer require Administrative level privileges - Yes, with some qualifications, depending upon the platform

6. Does R provide end user documentation - Yes

and so forth.

There may be requirements set by Kristin's IT department where such characteristics will eliminate R from consideration, albeit, many commercial and open source applications would also have similar functionality. 

It may simply be a matter of her IT people understanding whether R provides or does not provide certain functionality, so that they know how it will perform in their environment, and what, if any, additional security measures may be required or need to be adjusted to enable required functionality.

Thus, in the absence of more detail from Kristin as to what is specifically required, it is hard to know how to respond, within the context here, of a community based support list, and within the R community at large, where we all volunteer our time.

Regards,

Marc Schwartz