OSCHA 2001 NHS stream: Ray Henry

Ray Henry's talk was interesting because he showed that licensing can be a major obstacle, even when publicly funded developers are keen to proceed with open sourcing an app. He talked to slides, but the transcript is clear without them.

Chair: Our next speaker is a man who has an application which he would like to be open source in the health service. What are the problems?

Ray Henry: Thank you. Good afternoon everyone. Having just listened to Jeremy's presentation, it was quite interesting the number of common links between our two projects. Jeremy's is a big complex system; ours is small and PC based. But we both hit the same issue at the end: how do we take it forward? We know what we want to do; how do we take it forward?

So that's what I'm actually going to concentrate on. Very quickly then, just to place, what we are, and where we have gone, so we've context, we're going to talk about a product that is finished and ready to go.

I'm from the Public Health Laboratory Service. Our responsibility within the NHS is to deliver medical microbiology services within the hospitals across England and Wales. We also do communicable disease surveillance and we also have responsibility for hospital infection: we lead in that.

My particular remit is the IT strategy within the region where I work: Wales. We have our various laboratories and surveillance people, so I have to produce products and satisfactory solutions for them. Now, one of the interests today is infection control in hospitals: a real issue which needs someone to tackle it. Hospitals need to control infections because otherwise their wards get shut down, and patients get complications. This is also very closely associated with antibiotic resistance, so if you don't manage infections in the hospital properly, you splash antibiotics around the place, you end up with resistance, which leads to further problems, and we're all very worried about this. And the cost is enormous. It's now been recognised that by the government that we have to do something about it. We need the information, we need the control mechanisms, we need to understand where we are.

So it's now a government target, passed down to the trusts to do something about it. The problem is that there are no products suitable for it. Now it so happens that back in 1997 we started work on this very area. We were given money by the National Assembly of Wales to develop a system. What they said to us was: "We need you to collect regional data on this subject so that we can understand what's happening and intervene and do something about it. We looked around, and we saw no satisfactory product. We also decided that the only way to do it was to build something that the hospital infection control nurses themselves would use. And out of that would come the data naturally flowing to us at region so we could do the surveillance that was required. So we built a PC-based system for helping the nurses manage hospital infection. And we then gave that out to all of the hospitals in Wales. So there are 8 currently operational and 4 other waiting in the wings for the new improved software. That will all happen in Wales. It starts to bring us on onto what the problem is. The other key element is, why is this an advanced product? It takes the data from other systems--the laboratory computer systems where the microbiology results are and gives them to our system, which loads them, and prevents extra data entry. So PHLS in Wales in developed it. We did it under contract with a small private company. We own the code. Very quickly then, without boring you, what would this product be?

It's a PC-based Windows appearance, opening screen InControl. Usual thing we've all seen before, various medical things on it, we're not interested in how it operates, it's just so you understand it's a regular kind of package which we've all used. And it produces graphs. It's the kind of thing the nurses would like. So that's that. We understand what the product is.

It's 4 years old, it's gone through a major upgrade to comply with current software updates, we've gone through a third party developer, the copyright is owned by PHLS, it's publicly funded, targetted at infection nurses, we get the data. Everything's sorted--in Wales.

Now the problem is: we've got a good product. And when we looked around the market place we found no-one else had as a good as this, otherwise we'd have happily replaced it: I don't want to be in the business of supporting software. But we've got a product that we've used and seen it's better than anything, and we've got colleagues in England knocking on the door and saying, "Can we have this?" and we want to give it to them.

So the issue then becomes, very quickly, how do we give it to them? Now, first of all we only knew of one way, and that was the closed model and then Tim Benson of Abies introduced us to the idea of Open Source.

So very quickly, we're all familiar with these now, if we go for the closed model we could take the software back into our company or we could leave it outside, but we get tied to a development team which could evaporate, as we've already heard from our first speaker.

If you lose your team, then you lose your knowledge, and if you try and move it elsewhere you'll still have problems. If you take it to a vendor, well, you've got other potential problems there. You've got support fees, you've got level of service, you wonder about the future strategic development of the company, I didn't know we were going to have a session on collapsing vendors. What I really wanted to know was if we went to the wrong vendor, would they just put it on the shelf. Because their product--although rubbish--they could make some money off it. So they might buy up the rights to ours, and then put it away, and we couldn't do anything about it. So all sorts of problems as far as we're concerned attached to it. And apart from anything else there's the issue of how you decide who the vendor is, is why are they selling it when it's already been purchased and paid for by public money?

So where we start to move into: "Well, we'll give it freely to people." EpiInfo was mentioned in the conference earlier, we use EpiInfo all the time; free software from CDC, great. Well, then Tim said, "You could include source code, that'll encourage the private sector to help you support it. The idea being we place the software out into England, or on the internet where it is collected by the hospitals. They quickly realised that their IT departments don't want to support it or can't support or want to go to a private sector company who will support it. Now if the source is there as well, these comapnies are going to be more confident in doing so. So we thought "Oh yeah, this is a good idea." and then there are other issues. We may have already achieved our main goals but there are other things we like to do but we've got no more money, but this particular product for instance we develop for a new development which is a Palm Pilot version of the product which we could just take it to the ward, plug in the data, in it goes. Who's going to pay for that?

Well maybe, if it's open source then someone is going to come along and say, "well we could do that" and the then the decision becomes is this open source or is this whatever. but the main point is that we'd have achieved an enhancement of the whole project for the benefit of public health.

So we've removed the monopoly position of the supplier, we've maximised the public interest benefit from it, we can pursue further specialist interests in hospital trusts as they see fit, and we also, which has become fashionable now, promote public health partnerships. So, hey, we're looking good.

Then we discovered there is a general public license we can use so we're thinking, we're there, we can put it out with this license, we got copyright, the software would be given free, they can give it people, we include the source code, and most of all--our biggest concern--we don't have to be concerned about warranty. So don't come to us for costs if we do some damage to you. My company is risk averse. We don't like making anything that could entertain a risk.

Anyway, we've got a product, we've got a license, hey, we're ready to go. We even got a company expressed interested--EpiNet, who said "We'll support it" You stick it up on the web and they take it down and sell it to people ready to go.

What happened? Lawyers.

[hearty and prolonged laughter in audience]

Ten months ago I asked how we would do it. Eight months ago we decided we would go open source, six months ago, I just gave some of the presentation you just saw to our senior board, and they said "this is great, we'll do this." And then it was given to the business department, who then went to the lawyers, who then said "you need your own license, couldn't possibly use this public license."

What are they worried about? Copyright? They really weren't worried about copyright. Agreement on use and people to copy it further? They weren't really too bothered about that either. Liability? They're going to sue us. That's what they were worried about. Very, very, very worried about being sued. Would the patient have care taken upon them as a result of this software? Did the software break the... ? All these issues. And are all these components free for use? Fair question. And then thery were worried about our means of distribution, which is something I'll pick up in a minute.

So just picking up the main issues that worry these people. Because what we are into now is writing our own licence. With solicitors in London working on it. And the joke is, if they carry on working on it for much longer, it'll cost more than the software costs.

[audience laughs]

I reckon it would just be cheaper to give it to people and if we got into legal action, just buy 'em off. Want a thousand? There you go.

Liability. Yeah they felt they could set it up free of charge, as is, with no warranty. They were not too bothered about that. But they were very finicky about indemnifying the PHLS because if the third party, say a private company like EpiNet then gives it on to someone else, they wanted to make sure that we were covered, whatever use the software was put to. They also got very anxious about consumer protection, out of the blue. Well, if you put it up on the internet, anybody could get it. And that means they could put it on their PC, and if it breaks their PC they might sue us. Well, don't ask me, but that's what they're worried about. Well consequent to that I get squashed.

There's some serious issues here. It should have gone on the internet. The idea of open source is that it is a community, people in the States might want to look at this and so on. but they say, no, you can't do that, we're going to restrict you to UK-distribution only because of the concerns I have outlined. In fact we're going to restrict you to NHS users. But they seem to have managed to do that and give it to a private company. Don't ask me how they've managed that, but they've done it. And to make sure only those people can use it we therefore can only put it on the NHS intranet, so that restricts access. So we're still getting somewhere, but we've been cut back a lot now. And, O, just in case you thought that wasn't enough, when they take the software they've got to take a password, and the only way they can get the password is by email you their details.

That's not as bad as what they wanted, but I said, "Look I'm not doing that, but if they just email me their details I'll just print them off and stick it in a filing cabinet, and they get their password by return, and the lawyers are happy. They think they've got registration and I've got a filing cabinet of people which I never look at

[inaudible audience comment and laughs]

So the other issue then was compliance with third party components and I think this was touched on at the end of Jeremy's talk. InControl, our product, was written using Delphi 4, OK, developer's language. And our contractors, Computerisation, also used InfoPower as a toolset to help them build, we asked that they also used Crystal Reports runtimes to help give good graphics and some Wyse scripts for installation. All third party products. We had to check the licenses for every one of them. So we have to make sure we are only redistributing runtime components, and when we checked we did find there was one thing that wasn't, that had to be taken out, but it didn't cause problems. Now we thought, this shouldn't be an issue this is standard practice in IT. I've taken Delphi, I've paid for it, I've used it, I've taken code, I've compiled the code, and Delphi says "this you can give to anyone." That's my understanding. Now my attitude is that if someone got into there and it's distributed, it's Delphi's fault. Because I rely on their toolset. Not to the lawyers; they were not convinced about this at all. So we had to do was get all the licenses of all the code and give it to the solicitors for them to check that we were allowed to do everything we were suggesting, can we distribute executables, can we distribute libraries, can we distribute source code, who owns the source code, uh, uh, all of the things we have to do. Any special server components because they have to have extra licenses--we don't use servers so that one was irrelevant, get Computerisation to reaffirm that you do have the copyright, oh, and by the way, see if you can get them to accept liability for the work

[audience laughs]

Well, I had a quiet word with them, and not surprisingly they said, "We're not signing this" but we had to try it on. Would have been a great cop-out for a PHLS--look, it's their fault.

O, and then, remember, this is developed by a contractor, small company under their software licenses, so when they checked the licenses they said "you can't distribute this software" because it was compiled under their licenses, which you are not party to. So I had to buy all of the packages, some of which, like Delphi 4, is going back a bit now, and I had to ask Delphi, please, please, can I have an old copy of Delphi, so I got that off them. And then we had to compile all of the code in our office so that we could distribute it under our license.

These are the kind of legal issues we are faced with. And then the business manager had to write to all of the third party software people saying "Are you sure we can do this?" Because they wanted to cover our backs. But, we are getting there. So currently we do have a finished project that's used in Wales, we're going to give it to everybody in Wales, until the PHLS says you can't. If they tell us we can't then we have to stop, but if we just carry on, it's custom and practice, but in England we can't. Well there's a sublety about the fact the National Assembly for Wales is paying for it, and they don't really want to get into legal argument about whether they can take on the Welsh assembly. But we can give it to colleagues in England, but we don't have a license. We do have a draft license, that seems to be coming very close to completion now.

But, it's only been written for the NHSnet. And if somebody takes it down, and wants to give it on a CD this lawyer says, you've got to have a different license. And it's so specifically written, that if I change from Delphi 4 to Delphi 6, which I will wish to do very shortly, we will have to change components of the license, so this is not helping. We need help here. NHS Information Authority help us. We need to go here and say, can we draw down a license which gives us the ability to send this out to everybody and indemnifies us? That's what we want. So this is what the process is like;

[funny slide, lots of laughs]

To wrap up, so it's not too depressing, there are some very interesting issues once we achieve this, which is standard in the open source community, there are going to be patches, there are going to be fixes, and we've got to make sure we distribute them. I guess we'll be able to do it through the internet. I don't think that will be too much of a problem. But then it gets interesting. People are going to come back and say, "This is good, but... I'd like to do this with it now." Now, if we don't want to do it because it doesn't suit our purposes or strategy, then I'm happy for them to do it, but then we do into very interesting areas of how this is dealt with. And the larger scale developments as well... if we're not involved, then who owns them? I would like to be able to encourage them, and say, yes you can do this, we encourage you to sign up to an open source agreement, or even just pass the code to us so we can authorise it. It goes into a new file, we would then have to quality assure any new code provided to us. And I think the NHS would appreciate that, that's what they would like. PHLS is well known in the NHS, if you get a piece of software that says this is the current version of InControl, as approved by the PHLS, then people will use it. If it doesn't bear that stamp then they're not going to be quite so sure.

And then the final point is going through the legal issues. And my main issue is: this shouldn't be a problem for me, but it is. Somebody needs to help us and the rest of the community who want to go down this route to sort out the legal issues, so that we can actually help our line managers I guess to understand that they shouldn't be frightened of doing this.


Audience member: O go on.

Audience member: A couple of comments. [inaudible] solicitors...


and secondly, could you develop this product, and when you've finished, we'd like you to open source it which is what happened to [inaudible]

Ray Henry: we had the ownership of the product, so

Audience member: yes but like I said, if you had just gone to them

Ray Henry: Yes, I see your point now. No, they didn't want to. The very first thing when we decided to get this out, was to speak the developers and say "would you like to release this product, because we don't want to; it's a business opportunity for you." But they said "We don't want to, it's not really what we're into. We just take money for developing, you can do what you like with it after that. We don't want to do that." And then it was a question of moving it from them to someone else, and to get my company involved.

Audience member: If you'd gone for open source in the first place, you wouldn't have had all these problems.

Ray Henry: yeh, well, I didn't even know open source existed at the time so...

Audience member: Things evolve, and that's a good point. Yes? Tim?

Tim Benson: Would you agree that the city lawyers had every financial incentive for making things as difficult as they did?

Ray Henry: Well my skeptical view would go along with that.

Audience member: We've had the same experience in a smaller way at the university...

Audience member: Open source isn't just a threat to the software community, from licenses to the legal community, there are other [inaudible] in the chain, and what you've done is block what the business of the software developer is, only 20% is development, and the other 80% is business and lawyers and accountants, and you're getting into all of that in exactly the same way.

Copyright Ray Henry 2001. You may reproduce this page in any medium provided this copyright notice is also maintained. Transcription by Douglas Carnall: dougie@carnall.org
Index | Carnall | OS projects | Richards | Rogers | Todd | Henry