Fergal Mc Caffery

Medical Device Software Traceability

Software traceability is central to medical device software development and essential for regulatory approval. In order to comply with the regulatory requirements of the medical device industry it is essential to have clear linkages and traceability from requirements – including risks – through the different stages of the software development and maintenance life cycles. The regulatory bodies request that medical device software development organizations clearly demonstrate how they follow a software development life cycle without mandating a particular life cycle. However, due to the traceability requirements of the industry most medical device companies adopt the V-model. Within this chapter we will discuss the importance of traceability to medical device software development, the current state of practice within the industry in relation to traceability and how we feel that traceability could be improved within the industry. The chapter also describes the development and implementation of a medical device traceability software process assessment method (Med-Trace) in two medical device software development organizations. We include these two case studies as one involved a medical device SME based in Ireland and the other a medical device SME based in the UK as we want to illustrate that Med-Trace can be applied within different countries.

Risk management capability model for the development of medical device software

Failure of medical device (MD) software can have potentially catastrophic effects, leading to injury of patients or even death. Therefore, regulators penalise MD manufacturers who do not demonstrate that sufficient attention is devoted to the areas of hazard analysis and risk management (RM) throughout the software lifecycle. This paper has two main objectives. The first objective is to compare how thorough current MD regulations are with relation to the Capability Maturity Model Integration (CMMI®) in specifying what RM practices MD companies should adopt when developing software. The second objective is to present a Risk Management Capability Model (RMCM) for the MD software industry, which is geared towards improving software quality, safety and reliability. Our analysis indicates that 42 RM sub-practices would have to be performed in order to satisfy MD regulations and that only an additional 8 sub-practices would be required in order to satisfy all the CMMI® level 1 requirements. Additionally, MD companies satisfying the CMMI® goals of the RM process area by performing the CMMI® RM practices will not meet the requirements of the MD software RM regulations as an additional 20 MD-specific sub-practices have to be added to meet the objectives of RMCM.

Proposing an ISO/IEC 15504-2 compliant method for process capability/maturity models customization

The customization of software process capability/maturity models (SPCMMs) to specific domains/sectors or development methodologies represents one of the most discussed and applied trends in ICT organizations. Nonetheless, little research appears to have been performed on how theoretically sound and widely accepted SPCMMs should be developed to high quality. The aim of this paper is therefore to elicit the state-of-the-art regarding the processes adopted to develop such models and to propose a systematic approach to support the customization of SPCMMs. Such an approach is developed based on ISO/IEEE standard development processes integrating Knowledge Engineering techniques and experiences about how such models are currently developed in practice. Initial feedback from an expert panel indicates the usefulness and adequacy of the proposed method.

A Traceability Process Assessment Model for the Medical Device Domain

Traceability of requirements through the software development lifecycle (including supporting processes such as risk management and change management) is a difficult and expensive task. The implementation of effective traceability allows organizations to leverage its many advantages, such as impact analysis, product verification and validation, and facilitation of code maintenance. Traceability is conducive to producing quality software.

Hybrid Software Development Approaches in Practice: A European Perspective

The surveyed companies applied hybrid development approaches to specific projects even when company-wide policies for process usage existed. These approaches emerged from the evolution of different work practices and were consistently used regardless of company size or industry sector.

A lightweight traceability assessment method for medical device software

Traceability is central to medical device software development and essential for regulatory approval. For compliance to be achieved, an effective traceability process needs to be in place. This process must ensure the need for clear linkages and traceability from software requirements – including risks – through the different stages of the software development and maintenance lifecycles. This is difficult to achieve because of the lack of specific guidance within the medical device standards and documentation. This has resulted in many medical device companies employing inefficient software traceability processes. In this paper, we outline the development and implementation of Med‐Trace, a lightweight software traceability process assessment and improvement method developed specifically for the medical device industry. We also present and discuss findings from two industry‐based Med‐Trace assessments. Copyright

A Methodology for Software Process Improvement Roadmaps for Regulated Domains – Example with IEC 62366

Software process improvement initiatives offer many benefits in terms of productivity, cost savings and quality. As part of these initiatives organisations undergo an assessment and then embark on a software process improvement program to improve their existing processes to meet a desired target. These programs can be improved by the use of process improvement roadmaps that are tailored to the organisation and are usually non-transferrable. Within regulated domains, such as the medical device industry, adherence to international standards must be achieved before products can be placed on the market. This work proposes the use of software process improvement roadmaps to assist organisations achieve compliance with medical device standards. These proposed roadmaps will be generic in nature to meet the requirements of the standard, but will be subsequently tailored to meet the specific requirements of an individual organisation. In this paper we introduce the concept of the software process improvement roadmaps for the implementation of standards and detail a methodology for developing these roadmaps.

Piloting MDevSPICE: the medical device software process assessment framework

Software development companies moving into the medical device domain often find themselves overwhelmed by the number of regulatory requirements they need to satisfy before they can market their device. Several international standards and guidance documents have been developed to help companies on their road to regulatory compliance but working their way through the various standards is a challenge in itself. In order to help software companies in the medical device domain, we have developed an integrated framework of medical device software development best practices called MDevSPICE®. This framework integrates generic software development best practices with medical device standards’ requirements enabling consistent and thorough assessment of medical device processes. MDevSPICE® can be used by software companies evaluating their readiness for regulatory audits as well as by large medical device manufacturers for selecting suitable software suppliers. The MDevSPICE® framework consists of a process reference model, a process assessment model, an assessment method, and training and certification schemes. The framework has been validated using expert reviews and through MDevSPICE® assessments in industry. In this paper, we describe the MDevSPICE® process assessment framework focusing on its benefits and significance for the medical device manufacturing community as learned from MDevSPICE® assessments conducted to date.

Leveraging Reuse-Related Maturity Issues for Achieving Higher Maturity and Capability Levels

During the past 20 years Maturity & Capability Models (MCMs) become a buzzword in the ICT world. Since the initial Crosby’s idea in 1979, plenty of models have been created in the Software & Systems Engineering domains, addressing various perspectives. By analyzing the content of the Process Reference Models (PRM) in many of them, it can be noticed that reuse-related issues have unfortunately often little importance in the appraisals of the capabilities of software organizations while in practice they are considered as significant contributors in traditional process and organizational performance appraisals. While MCMs represent a good mean for assessing the status of a set of processes, integrating two or more models with a common area of focus can offer more information and value for an organization. The aim of this paper is to present some information about Reuse best practices and models, keep the best components from each model and – using the LEGO (Living EnGineering prOcess) approach to process improvement - merge those best practices from several types of maturity models into an organizational Business Process Model (BPM) in order to achieve in an easier and faster way higher organizational maturity and capability levels.

Development and validation of the MedITNet assessment framework: improving risk management of medical IT networks

The use of networked medical devices can provide a number of benefits such as improved patient safety, reduced costs of care and a reduction in adverse events. Traditionally, medical devices were placed onto a proprietary IT network provided by the manufacturer of the device. Today, medical devices are increasingly designed for incorporation into a hospital’s general IT network enabling devices to exchange critical information. However, this can introduce risks and negate the potential benefits to patients. While the IEC 80001-1 standard has been developed to aid Healthcare Delivery Organisations (HDOs) in addressing these risks, HDOs may struggle to understand and implement the requirements. The MedITNet framework has been developed to allow HDOs to assess the capability of their risk management processes against the requirements of IEC 80001-1. MedITNet provides a flexible assessment framework enabling HDOs to gain a greater understanding of the requirements of the standard and to improve risk management processes by determining their current state and highlighting areas for improvement. This paper examines the challenges faced by HDOs in the risk management of medical IT networks and briefly explains the components of the MedITNet framework and how the framework addresses these challenges. This paper also details how Action Design Research (ADR) was used in the development and validation of MedITNet.