OPENCHAIN CASE STUDY

OpenChain 3rd Party Certification

ORGANIZATION:

TÜV SÜD is a provider of testing, inspection and certification services based in Germany with subsidiaries in all major industries.

CHALLENGES:

  1. OpenChain is an established and growing de-facto industry standard but not yet an official one as of 2H 2019. OpenChain expects to become an ISO standard in 2020.
  2. While there are comprehensive services to support free self-certification to the OpenChain standard there is a lack of 3rd party certification services for OpenChain Conformance within the software supply chain.

SOLUTION:

  1. TÜV SÜD addresses the above challenges by creating testing methods based on OpenChain that meet the requirements of 3rd party certification.
  2. Adjacent to this TÜV SÜD has created a test mark and certification service for OpenChain compliance.

BENEFITS:

  1. The results of the independent TÜV SÜD assessment can serve as evidence for an appropriate compliance system in case of dispute.
  2. The assessment can also provide a competitive advantage through the issuance of a 3rd party certificate.

THE ORGANIZATION
TÜV SÜD was founded in 1866 as a steam boiler inspection association and has evolved into a global, future-oriented enterprise. Today TÜV SÜD is a leading technical service corporation catering to the INDUSTRY, MOBILITY and CERTIFICATION Segments. Its range of services embraces consultancy, inspection, tests and expert reports as well as certification and training. The company objectives are reliability, safety and quality, environmental protection and profitability. By providing these services, TÜV SÜD delivers a competitive edge to its clients throughout the world. TÜV SÜD has 24,000 employees around the world committed to optimizing technology, systems and know-how.

The range of TÜV SÜD services in the INDUSTRY Segment extends from support in ensuring the safe and reliable operation of industrial plants, buildings and infrastructure to testing of rolling stock, signalling systems and rail infrastructure. The TÜV SÜD experts in the MOBILITY Segment provide vehicle inspection and exhaust tests and support manufacturers in automotive design and development and in applications for international approval of new models and components. The CERTIFICATION Segment tests products throughout the world to ensure their marketability and market entry and certifies management systems across all sectors of industry. TÜV SÜD also offers a wide range of training for staff in the industry, trade and public sectors.

THE CHALLENGE
Modern supply chains are very complex and involve numerous parties from silicon to cloud deployment product depending on the market sector. Yet at the same time as having shared responsibility for creating and assembling various components to complete a product, responsibility for the legal compliance of the solution delivered to the end customer lies with the last company in the chain. This responsibility is two-fold, being an inherent part of the legal obligations necessary for the right to distribute open source code and with respect to broader industry liability rules. The OpenChain Project addressed this challenge by defining a the key requirements of a quality open source compliance program to support creating and releasing software solutions. The definition of these requirements, the OpenChain industry standard, is supported by extensive reference material and support for online and offline self-certification to the standard. However, by design there is 3rd party assessment and certification for independent evidence of compliance inside the project itself. To ensure freedom of choice the OpenChain Project envisions independent organizations offering such support across multiple industries.

THE SOLUTION
To offer a service similar to the quality level certifications the OpenChain Project is collaborating with TÜV SÜD Product Service GmbH, who have created a certification scheme suitable for documenting the compliance of an organization with respect to the OpenChain Specification. TÜV SÜD developed an evaluation procedure to confirm the existing of a quality open source compliance program, as defined by OpenChain, in organizations of various sizes across multiple market segments.. This third party certification is called TPS PPP 15001A,first awarded to Hitachi Ltd. In November 2018, and now making up part of TÜV SÜD’s global product offerings. TPS PPP 15001A was built directly from the OpenChain Specification independently of the OpenChain Self-Certification Questionnaire or other reference material. The process applied to its creation assures a perfect fit with the OpenChain Specification while assuring independence and aligning with TÜV SÜD’s existing and respected portfolios of certification services. It was also the first time the OpenChain Specification had a “clean room” reimplementation, underlining the coherency and maturity of the core document of the project.

THE BENEFIT
The OpenChain Specification is the first and only industry standard for open source compliance in the supply chain. It provides a light house to indicate that a company has adopted industry best practices to ensure a reduction in liability and an increase in efficiency with respect to the deployment of software solutions containing open source code. For customers it means a simple question, “are you OpenChain Conformant?”, has the powerful to reduce uncertainty and the likelihood of remedial license compliance actinides. For suppliers it means a simple statement, “we are OpenChain Conformant”, to indicate a commitment to quality and a significantly reduced chance that solution provided will cause any open source compliance concerns. Both parties gain a competitive advantage.

OpenChain Self-Certification and Third-Party Certification both offering compelling ways for companies display their positive position with respect to open source license compliance. Each has its place in the broader ecosystem, with companies of all sizes in all sectors aligning behind a clear, single solution for legal clarity around open source. TÜV SÜD’s TPS PPP 15001A aligns perfectly with existing practices in industries like automotive and infrastructure, slotting immediately into existing processes and portfolios with respect to displaying adherence to quality, security and export norms. It provides an independent confirmation of compliance with the OpenChain Specification as a worldwide service.

THE EXAMPLES
Automotive: Companies with an existing portfolio of independent certification to cover various international standards such as ISO9001/14001 (Quality Control) or ISO26262 (Functional Safety)can use TPS PPP 15001A as a drop-in expansion of assurance offering.

Consumer Electronics: Companies in segments that have traditionally faced some exposure to open source compliance litigation (routers, etc) can utilize TPS PPP 15001A as an independent confirmation that they are using industry norms to ensure best practices are applied towards solution compliance.

Infrastructure: Companies in sectors with 30-50 deployment cycles can use TPS PPP 15001A to confirm that they have processes in place to support solutions over extended periods, especially given that the processes inherently remove single points of failure in a given compliance program.