Setting the Standard
May 10, 2000
Table of Contents
I take full cognizance of the conflict inherent in my writing about "who should write standards?" I am, after all, co-chair of a technical committee in an ANSI-accredited SDO (XML TC of Health Level 7). I am chair of the group charged by the TC to draft an XML document architecture for healthcare. Worse, I am under contract to HL7 working on one project and worse yet, in negotiations with them over another standards-writing project.
Chutzpah acknowledged, I can only say that my aspiration for this piece is that it be called a candid insider perspective. To the charge that my own view colors the picture, I confess a hearty mea culpa.
Setting the Standard
There is an anomaly about high-tech standards writing. To folks outside the industry, they are a high-potency soporific. To insiders, they have been described as the ultimate techie rush. This disparity is not such a bad thing. It has meant that some very bright people have quietly donated great chunks of time to making standards work, while the outside world has provided little in the way of either help or interference. But it is not at all clear that the system, or lack of system, will scale.
It is time to ask some fundamental questions: Who should write standards? What kind of organization, with what type of by-laws and membership, and who should pay for it? What makes for the greatest good and can sustain innovation, competition, and cooperation? What has produced good results in the past and what can we learn from this to guide the future? In his article, "The OASIS Process for Structured Information Standards," Jon Bosak lays out a strong case for firm, known, time-tested open committee processes with some adjustment for the composition of a sometimes-virtual technical committee. This article looks at the larger support framework for such processes and asks what kind of organization writes the best standards and how should this work be supported.
Well, how important is it where a railroad will be built? Where the stations be will located? The gauge of the tracks? This infrastructure will be with us for a long, long time. If we screw up this technical infrastructure, either the trains won't run or they will have YouKnowWhoSoft written on every car.
The code written on the backs of the DOM, SAX, and XML is still fresh, but how long will it be before the dependency on these specifications is as deeply embedded as the code for the two-digit year? At its simplest, Y2K was a failure of the standards writing process.
Another way to answer this question -- How important is standards writing? -- is to step outside of high tech and look at governance of comparable, non-technical processes. Controlling the specification linking electronic documents seems no less vital than setting the standards for materials, dimension, and durability regarding an interchange on the interstate highway system. Yet our much-touted information superhighway is in the hands of a scattering of private, member-driven consortia and de facto processes. Jurisdiction is anarchic, determined by professional politics, market force, and the law of first come, first served.
Personally, I'm not at all sure that this is all bad. I have grave doubts whether a government agency can be effective in directing the creation of a high tech standard or specification. Right now in healthcare, in the US, we have a mandate from Congress to the Department of Health and Human Services to create such standards. To its credit, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) advocates that the specifications themselves be developed and maintained under the care of a bona fide standards development organization (SDO). For the most part, the role of HHS has been to choose among existing standards, and to foster standards development where needed.
The Department has led an exceptionally open process, creating industry advisory groups and liaisons to standards organizations, and sifting millions of comments on proposed regulations. At the end of the day, however, HIPAA is bearing down on the industry as one more problem, rather than one more solution.
HIPAA carries the subtitle "Administrative Simplification" but, according to Health Data Management, "there is nothing simple about the administrative simplification provisions." The magazine reports that in February the American Medical Association said that "despite the best intentions of federal officials, the complexity of the proposed privacy rule unacceptably increases administrative burdens for physicians while inadequately protecting patient confidentiality." [HDM, April 2000, p.85 "The Dawn of HIPAA."] Modern Healthcare reports government claims that HIPAA will save $1.5 billion over five years, while sources in the industry debate how many multiples of the $8.5 billion spent on Y2K HIPAA will consume. [Modern Healthcare, January 31, 2000, p.5]
There is no doubt that standards are desperately needed. The legislation, lobbied for by industry, acknowledges a gross failure in self-regulation. The cost of HIPAA must be weighed against the cost of not doing it. The only thing that could be worse would be to try and to fail.
One catch-22 in the legislation states that HHS will write requirements using existing standards. This is a well-intentioned directive not to reinvent an American Standard Code for Information Interchange (ASCII). The effect, however, on a regulation process that takes two or more years and then is frozen for one year after issuance is to disallow the use of current and emerging technical specifications. The HIPAA regulations, in the works since 1996, will use proprietary EDI syntax well into this millennium.
Given the immense difficulty of adapting a civil service to rapid change and the general cyber distrust of government everywhere, I don't expect to see a wave of demand for direct government oversight of high tech standards. On the other hand, I think it is time to ask how the agencies of the common good (to avoid the "government" label) can support this work.
In the US, we have a National Institute of Standards and Technology (NIST), which is an agency of the US Department of Commerce, and is supported through tax dollars and fees for service. We also have the privately funded American National Standards Institute (ANSI). Certainly, they have the talent and expertise to understand the issues better than most career bureaucrats, but they have not projected themselves into the center of this activity.
NIST's mission, according to their web site, could be interpreted as creating standards. They are heavily involved in standards testing and have very little on-going in the origination of standards. NIST hosts the Interagency Committee on Standards Policy (ICSP), which ensures government adoption of standards. The list of current work products reflects a role as booster and enforcer of standards-based procurement, but it begs the question of who creates the standards that the ICSP supports.
Closer to the bone, the NIST Voluntary Products Standards Program will actually administer the development and publication of a standard, when approached by a qualifying group. One qualification is that the applicant provides the funds. The purpose of VPSP is "to establish nationally recognized requirements for products." In this capacity, NIST acts "as an unbiased coordinator in the development of these standards, provides editorial assistance in their preparation, supplies such assistance and review as is required to assure their technical soundness and to seek satisfactory adjustment of valid points of disagreement." Not a bad description of what is required for administrative support, but this facility has not been taken up by the high tech world. According to the NIST web site, current standards that mention "soft" did so in the context of "wood" -- as in plywood and softwood.
The American National Standards Institute (ANSI) is a private, nonprofit membership organization. It is not itself a standards body, but a vetter of standards bodies. It "facilitates [standards] development by establishing consensus among qualified groups. The Institute ensures that its guiding principles -- consensus, due process and openness -- are followed by the more than 175 distinct entities currently accredited." This is not a bad thing, but how well does it track and monitor the 175 entities and the 14,650 approved standards (a number that grew by five percent in 1999)? Certainly, any oversight by ANSI is better than none, but its role as accrediting organization cannot work without the existence and cooperation of the SDOs themselves.
So, who is actually writing high-tech standards today? Apart from those organizations affiliated with ANSI, who share some common structure and commitment to open governance and process, there are many smaller, ad hoc and formal organizations with no affiliation, and no stated intention of coming under the umbrella of ANSI (or anyone else). These bodies range from the World Wide Web Consortium (W3C) to OASIS to the team of David Megginson and XML-DEV, who wrote and maintain the Simple API for XML (SAX).
The W3C was created in 1994 to foster Web standards. Today, it has more than 50 researchers and engineers working at the three host agencies: the Massachusetts Institute of Technology; the Institut National de Recherche en Informatique et en Automatique (INRIA); and Keio University. Structured as a research organization, the primary constituency of the W3C are its corporate members, who pay most of the freight. (See "W3C and the Web Community.")
The Organization for Advancement of Structured Information Standards (OASIS) is also member-supported, but OASIS honors individual membership and participation as well as corporate sponsorship. OASIS is not an R&D organization, although it has increased its staffing since taking on the ebXML and xml.org initiatives.
And then there is the no-organization organization of XML-DEV and SAX, and similar projects including early VRML. Briefly, Megginson is the progenitor and maintainer of SAX, and responds to the open constituency of the XML-DEV mailing list. The debate on XML-DEV over maintenance of SAX (see archives "Democracy and the Future of SAX, 2/9/00-2/16/00, and Jon Bosak’s post, "SAX, OASIS, &c." 2/22/2000, available at http://xml.org/archives/xml-dev/threads.html) and again in the article on OASIS published here. He touched on the core issues of who should write standards, who should maintain them, and how those bodies are best constituted. In urging that future development of SAX be handed to a formal body such as OASIS, Bosak asserted that only a democratic process could insulate the standards process from the pressure of the marketplace.
The adequacy of the W3C process comes under frequent review on XML.com, with critics citing the exclusion of non-corporate, non-institutional members. Some promote in its place the loose, informal process that currently maintains SAX. On the feasibility of safeguarding a standard in an ad hoc organization, Bosak wrote on XML-DEV:
It is possible to operate this way only in the absence of concrete economic interests in proposed features of the specification. The artistic climate in which this group has been operating won't last when subjected to the stresses of big competitive investments in the outcomes of certain decisions.
Having toiled in the vineyards of SGML and related standards for close to a decade before taking on the mantle of "SGML for the Web" from Yuri Rubinsky, Bosak knows of what he speaks. He continued:
In the absence of a democratic process, SAX will be defined by companies like Sun and IBM that build it into their products. The first time that IBM makes a change to their version of SAX, the opinions of this group [xml-dev] cease to be relevant. The notion that you are somehow in control of what happens to SAX under the current arrangement is completely illusory. What I'm suggesting is that the group that developed SAX take actual control of it in a way that prevents it from being stolen out from under you.
These are plain words that I expect will be heeded. The proposal was met not so much with push-back as with reluctance to adopt known models with perceived faults. Simon St. Laurent wrote:
I hope that SAX remains tightly connected to the community of developers who have created it, and that the ever-growing need for interoperability, that often-taken-for-granted aspect of all XML development, is enough to keep the legal departments and vendor consortia out of the picture.
The underlying tension in these discussions is the knowledge that if non-commercial organizations, of whatever stripe, fail to produce standards that are accepted by the marketplace, we will have vendor-controlled protocols in place of standards. The market needs interoperability, and if the only way to get it is to climb on some commercially driven bandwagon, big fish and small fish alike will do so, however uncomfortable it may prove.
We know that we must have formal superstructure and we know that it must follow well-defined procedures. If we accept the need for a time-tested procedural guide with a modern update to define technical committees, we are still something short of the required mix. Successful standards-writing needs the following:
- support staff
- technical experts with domain experience
- technical experts with implementation experience
- professional technical writers (ignore the redundancy here)
- the community of interest (some open channel representing the interests of the full spectrum of those who will be affected by the new standard)
There is a further element, less tangible, which nevertheless can’t be overlooked. A high percentage of the standards that have influenced our industry (in a positive way) to-date had at least partial parentage in research and development, or through a concerted effort that was funded and shielded from requirements other than to produce new intellectual property. Tim Berners-Lee wrote HTML while solving problems for a research institution, a fact that undoubtedly influenced the design of the W3C.
While the administration of the HIPAA standards effort has been conscientious and well-intentioned, one has to question whether the qualities that make a good civil servant also make a good technical leader. Avoidance of risk is important in the civil service, but does not foster innovation, even when innovation is the order of the day. In an ideal world, regulatory agencies would set requirements, and technical standards would be the transparent means to fulfillment.
There is no failsafe recipe for innovation, but we do know that if you can’t afford the ingredients and your chef has to train new volunteer staff each day, you won’t get the results you are looking for.
An old socialist sociologist once taught me that if you want to understand a system, follow the money. When I look at how the various standards-writing outfits support themselves, I come up with these models:
- private (typically corporate) funds: participants are well-endowed, and most costs are borne by participants, rather than the standards body. When committees meet six times a year on four continents, this defines a rather elite club.
- membership: some combination of individual, corporate, or institutional dues, with power in the organization apportioned to those who actually pay the freight. In this model, corporate dollars seem to speak the loudest.
- sale of intellectual property
- public funds through tax dollars, grants, or public agencies
The question is, what best supports the democratic apportionment of power and the need for concerted development? The trust fund model is not a replicable model for an industry. The membership model? Only if you believe that affluent corporations are the only true citizens. Sale of intellectual property? This is increasingly difficult in an open-source world.
There is a purism about standards writing that seems to say, if you are accepting money, somehow your motives are tainted, your work is suspect. Yet very few people do this work without financial support. "Paid" and "volunteer" merely designate whether the funding is through an employer (who sees a business interest in the outcome) or through a public agency (which sees a public benefit in the outcome.)
It is time to jettison the illusion that committees of volunteers working on hypertime can produce an original solution without full support from staff, experts who are not working 65 hours/week, and professional writers and editors. It is time to jettison the idea that the loft of a standard is commensurate with either the poverty and self-sacrifice of the authors, or related to the power and self-interest of the progenitors.
Disdain for the exchange of money during standards building is an aristocratic affectation that is out of place in an "open" process where meetings are frequent and held across multiple continents. Apart from dues, participating in standards development demands time and usually travel. Even where dues are set to allow the participation of individuals, most individuals cannot both earn a living and participate. Simply assuring open membership does not assure open access when there is no underwriter for the process, and today those underwriters come almost exclusively from the corporate sector.
The final arbiter will always be the marketplace and, again, this is both necessary and good. The last thing we want to do is preclude innovation from whatever quarter. While the marketplace always has the last say, it is incapable of choosing a good standard when none is presented, and it does not consider long-term good when short term profits are at stake. So how can we build a reliable source of standards?
The answer to this is on neither side of the direct-participation vs. representation debate, and is not completely addressed by specification of internal group process. We have to have an organization that can foster intensive intellectual effort and shoulder the on-going process of maintaining and building consensus around the standard. We need the processes described by Jon Bosak and under development at OASIS, but we also need to fund these organizations in such a manner that they can foster sustained, creative, independent work. We need both leadership and consensus building.
So, how should government be involved, and where should the money come from? Professional societies and industry consortia have a role, as do government and regulatory agencies. I'd like to suggest a National Endowment for standards writing; a set-aside -- even a voluntary one -- created through profits of companies who have benefited from existence of standards. In essence, this is what the W3C has designed itself to be, by soliciting funds from interested parties and, to some degree, insulating the process from their direct control. NIST, which already invests heavily in seeding technology, could start a program to underwrite the development of the standards that are most needed. In fact, if you shake the family tree of ebXML, you'll find that one of the strong influences, the CommerceOne eCo Framework is the third generation of standards writing done under a NIST grant.
Financial support alone, of course, is not sufficient, and not everything can be standardized -- indeed not everything is ready to be standardized. As my co-chair in HL7, Dr. Robert Dolin of Kaiser Permanente, likes to say, "A standard can't be written before its time." In this context, the failure of the Department of Health and Human Services to meet the initial deadline for regulations protecting privacy of patient records reflects real uncertainty on the best course of action, rather than a failure of technical leadership. Additionally, just having industry representatives sit on a committee is not equivalent to reference implementations, a requirement that is embedded in the process of groups such as the Internet Engineering Task Force (IETF) and the Object Management Group (OMG).
An open, democratic process and public financing form a necessary, but not sufficient, context to ensure good work. If you ignore either process or the financial subsidy for standards writing, you put the power into the hands of those with a strong self-interest and the ability to pay.
I would like to acknowledge the excellent criticism and insight I received from a number of readers and interviewees--Jon Bosak, Tim Bray, Michael Champion, Bob Dolin, Mary Kratz, C. Michael Sperberg-McQueen, John Spinosa, Lauren Wood. While their comments were invaluable, they are of course, not responsible for the outcome.