330 likes | 440 Views
Landmines In Poor Software Development -- Legal Risks from Sales through Support. September 7, 2012 Southern California Software Process Improvement Network (SCSPIN) John Cosgrove, P.E., Fellow NAFE JCosgrove@computer.org , www.CosgroveComputer.com Michael Krieger, Esq., PhD
E N D
Landmines In Poor Software Development--Legal Risks from Sales through Support September 7, 2012 Southern California Software Process Improvement Network (SCSPIN) John Cosgrove, P.E., Fellow NAFE JCosgrove@computer.org, www.CosgroveComputer.com Michael Krieger, Esq., PhD mkrieger239@earthlink.net
Our Touchstones Seeing as expert consults a parade of bad processes from sales to support Noting very big awards, i.e., many times (e.g., 5x and up) the value contracted) Recalling the messages in “Why Software is So Bad” cover story MIT TechReview, July 2002, “Software Engineering and the Law” IEEE Software May/June 2001, John Cosgrove
Why Software is So Bad MIT Technology Review July 2002
MIT TR and Cosgrove – The Fix The fix is going to be lawyers inflicting enough pain on s/ware companies (or gov’t regulat’n) NOTA BENE: Whether due to code or implementation, big sytem failure => Business Loss May Far Exceed Contract $ Failed system victim’s problem: computer contracts limit liability litigation is dreadfully expensive directly and on internal resources
Sunshine Mills v Ross Systems Alabama jury awards $61M for ERP system where original s/w licence was $250,00015 Dec. 2010 A pet foods company in the US alleged that its ERP supplier fraudulently misrepresented the capabilities of its software.
Headlines – InfoWorld etc. University accuses Oracle of extortion, lies, 'rigged' demo in lawsuit 2011/12/14 Montclair State elaborates on case against Oracle over ERP projectgone wrong Chris Kanaracus –IDG
Division of Labor John Cosgrove – Avoiding danger Pitfalls to Spot and to Avoid, Processes to Implement, etc in Major System: sales devl’ install’n -> etc Michael Krieger – Legal vulnerability Legal environment: outlines of law and litigation elements to reveal their application to cases of poor practices
JC - Topic Outline How projects can fail Origins of Failure Deliverable Definition Unrealistic Expectations Defective Process Discipline Origins of Legal Risks Case Histories Insurance Policy system Component Distributor Auto Mall SCM Summary Cosgrove Computer Systems Inc. 8
MK – Topic Outline Time v. Oracle – outline facts, big $$$ Life cycle of a lawsuit Contract v. Fraud theory of suit: why care? How this played out in Trim. Summary Judgement Motion by D: what-why? Lack of success => settle Look at cases John describes
American Trim v. Oracle American Trim = joint venture of Alcoa & Superior Metal Prod’ – components for GM, Ford, etc. Needed common system to interface with manufacturers; EDI was required (1996) Oracle: we’ve got that – Trim: Let’s see. Mock up demo purported to be live Long delay as Oracle tried to implement Trim cancelled, sued to for $1.8 M paid Jury: $3M compensatory + $10M punitive
Life Cycle of a Lawsuit Complaint by Plaintiff – view#1 of facts, theory of harm and damages Answer by Def – view#2 of facts etc. Discovery - Depositions, document production, &&. Costly, contentious, protracted; computer=> experts Summary judgment (and other) motions More of above Trial and possibly Appeal
Key complaint theories Breach of contract: parties make mutual promises, one fails to fulfill obligations Contract: typically sets out remedy for various breaches, i.e., mutually agreed limits on damages Tort: breaching a societal obligation may entitled Injured party to all reasonably foreseeable damages. E.g. neighbor cuts down your tree; unsafe premises Misrepresentation: may qualify as tort Bingo: cast vendor failure as a tort to get all losses, not just amount paid
Key fraud/contract distinction “Fraud,” i.e., misrepresentation involves mistating the present, or sometimes wholly unfounded claims about the future, not just promises about it. E.g., as to capability; resources; existance of softwara in use, is in beta, planned, ??? Depth and availability of team. All these subject to the spectrum from small exaggeration to fabrications of facts that the buyer relies on
BSkyB v HP(EDS) Comment "Payment of £318m [for] an IT dev’t contract of £50m and which had a limitation of liability cap set at £30m is a very painful reminder to HP and others that the law of misrepresentation is alive and that senior management need to have processes in place [so] that they can take immediate action if there is any suggestion of fraudulent practices during the sales process or otherwise."
For litigators in failure cases Docs and email: likely hold key to case, i.e., no need for dealing with bits/bytes Expert costs are much smaller Juries can understand incompetence, lying and cheating, not hex, interrupts. Lawyer can understand his/her case! Smaller cases become “litigatable, i.e, the cost doesn’t overwhelm the expected ROI
Plaintiff and defendant goals P: Include fraud, i.e., really bad misrep’ that was critical to the loss D: fight factual + legal basis of claim Resist discovery Move for Summary judgment M/SJ: your honor, facts so far show that a fraud claim has no legal basis. So toss the claim, no need to put the issue before a jury
Role of summary judgment Defendant does not want the fraud claim and associated facts before a jury due to risk of big damages Consequently, cases tend to settle if the court sustains the fraud claims Note that a defendant can appeal as did Oracle in Trim, which is why we know about it. Question: why did Oracle even go to trial and let a jury see such an ugly set of facts?
American Trim v Oracle Appeal Upheld trial court on fraud, high damages. Special note of “present” tense by Oracle Fraud reached well up management ladder Reviewed whether it was reasonable for Trim’s people to believe the simulation was live, whether attendance at a convention should have clued them that s/w not in beta. Upheld all lower court finding
The SW Development View • Factors which affect the developers legal risks. • Mistakes the client makes Cosgrove Computer Systems Inc.
How Projects Can Fail Cost – Quality – Schedule Getting too costly – Budget is ?? Causes major errors – Too risky Still not done – Schedule is ?? Unacceptable: don’t pay, sue (& replace) How to recover/replace system Salvage or do-over Who pays for recovery?
Origins of Failure • Defective definition of deliverable • Unrealistic expectations • Defective process discipline Cosgrove Computer Systems Inc.
Deliverable Definition • What is the deliverable? • Describing it in the contract • Should include process requirements • Change management at least • Features, cost & schedule • Acceptance criteria & procedure • Define priorities–Independent Variable • Cost, schedule or quality? • Any cost or schedule OK with low quality Cosgrove Computer Systems Inc.
Unrealistic Expectations • Communicating expectations both ways • Supplier • Promised too much, too soon, too cheap • Competitive bids can set the stage • Client • Short term decision criteria – cost & schedule • Failed to ID critical trade-off factors Cosgrove Computer Systems Inc.
Defective Process Discipline • Software is Invisible • Disciplined process overcomes this • Management only possible with process elements suitable to the project • Automated support must be suitable • Size, complexity, risk elements, etc. • Testing processes – explicit, recorded & enforced • Legal risks largely driven by process discipline Cosgrove Computer Systems Inc.
Origins of Legal Risks • Most litigation starts with project history • Artifacts start with the solicitation/sales stage • Representations generated by both sides • Definitions & obligations expressed in contract • Features, cost/schedule & required process • Artifacts generated by development stage • Absence of artifacts may become critical • Project status, testing records, etc. • Artifacts generated by deployment stage Cosgrove Computer Systems Inc.
Case Histories • Insurance Policy System • ERP System for Electronic Component Distributor • Auto-Mall SCM System Cosgrove Computer Systems Inc.
Insurance Policy System -- I • Off-shore developer’s quality was unacceptable to insurance underwriter • Design discipline & testing failed • System produced invalid policy documents • Customers sued citing financial risk • Code was fragile causing DB corruption and system crashes • Discovery document revealed internal review recommending system re-write Cosgrove Computer Systems Inc.
Insurance Policy System -- II • Developer’s quality assurance process • Design discipline & testing failed to detect policy data corruption from improperly designed terminal sessions. • Ineffective programmer supervision produced fragile code without error control. • Lack of independent QA ignored known defects risking client’s business survival Cosgrove Computer Systems Inc.
Component Distributor ERP - I • Business model – Next day delivery • System promised < 1 Y, <$5M • Allowed Go-Live with known defects after cost & schedule exceeded • Critical Operations failed with Go-Live – bankruptcy followed • Only assets are potential damages against suppliers Cosgrove Computer Systems Inc.
Component Distributor ERP -II • Disciplined process promised but not followed • Supplier experienced two mergers during project • Supplier Management team restructured & compromised • Records show management inconsistencies Cosgrove Computer Systems Inc.
Auto Mall SCM System – I • Multi-brand auto mall orders replacement Auto-retailing SCM • System was promised “turn-key” in 1 week • Critical features promised for all brands • EDI inventory management • Common lead management Cosgrove Computer Systems Inc.
Auto Mall SCM System –II • Promised turn-key is incomplete with some features yet to be developed. • Neither of 2 critical functions are operational with multi-brand dealers • SCM sales team was conflicted with pressure to book sale by EOY. Cosgrove Computer Systems Inc.
Development Summary • Software Intensive Systems Fail • “Trend” is for potential liability awards to be measured by business loss • Implicit “Duty of Care” requires evidence of disciplined processes • Software developers must observe levels of care similar to professions