How to Use Open Source Technologies in Safety-critical Medical Device Platforms
0 likes793 views
This document discusses the use of open source software and technologies in safety-critical medical device platforms. It argues that medical device vendors should be using open source to implement safety-critical requirements, contribute to open source projects, and create their own open source projects. Open source can help address the need for more connectivity and interoperability between devices as healthcare moves towards integrated systems. However, open source also presents compliance, reliability and security challenges that require risk assessments, hazard analysis, and processes to validate code from open source projects.
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
- 1. Open Source Software (OSS) and Technologies in Safety-critical Medical Device Platforms Using Open Source to Design Connected Medical Devices Shahid N. Shah, CEO
- 2. NETSPECTIVE Who is Shahid? • Chairman, OSEHRA.org Board of Advisors • 20+ years of software engineering and multi-discipline complex IT implementations (Gov., defense, health, finance, insurance) • 12+ years of healthcare IT and medical devices experience (blog at http://healthcareguy.com) • 15+ years of technology management experience (government, non-profit, commercial) www.netspective.com Author of Chapter 13, “You’re the CIO of your Own Office” 2
- 3. NETSPECTIVE Open source software (OSS) is in your future • You’re moving from standalone boxes to fully integrated systems • mHealth demands more interoperability • Your customers demand flexible workflows with enhanced functionality • Your customer demand data integration with their systems • Security of medical devices is under great scrutiny and excuses aren’t going to be accepted www.netspective.com 3
- 4. NETSPECTIVE The new realities of patient populations Prevention • Education • Health Promotions • Healthy Lifestyle Choices • Health Risk Assessment Management • • Obesity Management Wellness Management • • • • • • • Assessment – HRA Stratification Dietary Physical Activity Physician Coordination Social Network Behavior Modification • • • Diabetes COPD CHF • • • • • Stratification & Enrollment Disease Management Care Coordination MD Pay-for-Performance Patient Coaching • • • • Physicians Office Hospital Other sites Pharmacology • Catastrophic Case Management Utilization Management Care Coordination Co-morbidities • • • 26 % of Population 35 % of Population 35 % of Population 4% of Population 4 % of Medical Costs 22 % of Medical Costs 37 % of Medical Costs 36 % of Medical Costs Source: Amir Jafri, PrescribeWell www.netspective.com 4
- 5. NETSPECTIVE Wireless BAN Ecosystem is complex without OSS Source: Qualcomm www.netspective.com 5
- 6. NETSPECTIVE Data is getting more sophisticated, analysis even more so It’s hard today but will be even harder tomorrow Economics Administrative www.netspective.com Phenotypics Behavioral Biochemical Genomics Proteomics IOT sensors 6
- 7. NETSPECTIVE Implications of healthcare trends PPACA ACO Software Regulated IT and Systems Integration Services MU Health Home www.netspective.com PCMH mHealth DATA Evidence Based Medicine Comparative Effectiveness 7
- 8. NETSPECTIVE What users want vs. what they’re offered Data visualization requires integration and aggregation What’s being offered to users www.netspective.com What users really want 8
- 9. NETSPECTIVE Evolving Healthcare IT Enterprise Architecture You need to fit into a complex environment Device Teaming Cloud Services Patient Self-Management Platforms SSL VPN Patient Context Monitoring BaaS Gateway (DDS, XMPP ESB) , Device Data Data Transformation (ESB, HL7) Remote Surveillance Management Dashboards HIT Integration Report Generation Device reimbursement www.netspective.com Enterprise Data RCM, Financials, EHRs Device Management Cross Device App Workflows Device Utilization Device profitability Alarm Notifications Device Inventory 9
- 10. • Should medical device vendors be using open source to implement their safetycritical requirements? • How about contributing to open source projects? • How about creating their own open source projects? www.netspective.com 10
- 11. Yes! • If you’re not using open source projects in your own devices then you’re doing far more engineering work than is necessary. • If you’re not contributing to open source then you’re not making code you rely on better. • If you’re not creating open source then you’re missing a valuable marketing opportunity. www.netspective.com 11
- 12. NETSPECTIVE Connectivity is a must, OSS is answer Most obvious benefit Least attention Most promising capability This talk focuses on connected devices www.netspective.com 12
- 13. NETSPECTIVE Appreciate tradeoffs The more connectionfriendly a device, the harder it is to validate it Integrationfriendliness Ease of validation Lesson: Demand Testability www.netspective.com 13
- 14. NETSPECTIVE What are we afraid of when it comes to OSS? Compliance Reliability Will the FDA and other regulators accept open source code in safetycritical systems? Is open source code safe enough for medical devices? www.netspective.com 14
- 15. Yes, of course. Proof: we did it at American Red Cross in 1996 for a Class 3 device built on a modern enterprise IT ecosystem Lesson: Risk managers and quality leadership often use regulators as an excuse to prevent OSS use because of OSS illiteracy, not legitimate strategy or actual evidence of harm. Reality: Regulators don’t care about your use of open source, they care about safe systems that meet intended use. www.netspective.com 15
- 16. NETSPECTIVE Code you write is not necessarily safer There is significantly more and better testing of large open source projects than you could ever do In an integrated ecosystem, you have to learn how to rely on others and do so safely and effectively Modern IT systems’ custom components www.netspective.com 16
- 17. NETSPECTIVE It’s not as hard as we think… • Modern real-time operating systems (open source and commercial) are reliable for safety-critical medical-grade requirements. • Open standards such as TCP/IP DDS, HTTP and XMPP can , , pull vendors out of the 1980’s and into the 1990’s. • Open source and open standards that promote enterprise IT connectivity can pull vendors into the 2010’s and beyond. www.netspective.com 17
- 18. How to start using OSS immediately
- 19. NETSPECTIVE Remove OSS illiteracy from decision making Understand open source licensing, remove the fear of IP loss www.netspective.com Understand where code is coming from and what test harnesses included Get in touch with the open source developers to find out the current utilization 19
- 20. NETSPECTIVE Choose the right OSS projects Requirements traceability possible? Code reviews conducted by OSS code authors? Unit testing conducted by authors? Continuous integration system employed? Integration testing conducted? Performance testing conducted? Safety testing conducted? Security testing conducted? www.netspective.com 20
- 21. NETSPECTIVE Engender trust in the code’s provenance Connect to the revision control system of the open source project www.netspective.com Create your own binaries Create a process to securely sign the binaries Create your own deployment packages 21
- 22. NETSPECTIVE Integrate OSS into your QSR process Employ continuous integration (CI) for your own and OSS project components Create a process to test the binaries using code coverage tools Keep an eye on changes coming in from the source and retest regularly www.netspective.com Conduct continuous hazard and risk analysis of outside code Review your process with the compliance officers and get their regular buy in 22
- 23. NETSPECTIVE But it’s not easy either…we need Risk Assessments Hazard Analysis Design for Testability Design for Simulations Documentation Traceability Mathematical Proofs Determinism Instrumentation Theoretical foundations www.netspective.com 23
- 24. NETSPECTIVE OSS hazard and risk assessment • What is the intended use for the device or system? • How will the OSS product you’re planning to use going to be tied to your intended use? • What is the risk associated with the OSS product for that particular intended use? R = S h x Ph www.netspective.com 24
- 25. NETSPECTIVE Risk is related to severity and harm R = risk Sh = severity of harm Ph = probability of harm R = S h x Ph • Harm is damage done to a person • Severity is the degree of harm done • Probability is the frequency and duration of exposure www.netspective.com 25
- 26. NETSPECTIVE Examples of Severity & Probability Severity Probability • multiple fatalities • fatalities • severe injury (non-reversible, requires hospitalization) • moderate injury (reversible, requires hospitalization) • minor (reversible, requires first aid) • very minor (no first aid) • • • • • • • www.netspective.com Constant exposure Hourly Daily Weekly Monthly Yearly Never 26
- 27. NETSPECTIVE Formal risk assessment methods What-if analysis Preliminary hazard analysis (PHA) Fault tree analysis (FTA) www.netspective.com Failure modes and effects analysis (FMEA) Hazard and operability studies 27
- 28. NETSPECTIVE OSS Risk analysis steps - FMEA Define the function of the OSS product being analyzed. Identify potential failures of the OSS. Determine the causes of each failure types. Determine the effects of potential failures. Assign a risk index to each of the failure types. Determine the most appropriate corrective/preventive actions. • Monitor the implementation of the corrective/preventive to ensure that it is having the desired effect. • • • • • • www.netspective.com 28
- 29. NETSPECTIVE Good summary of FMEA • http://en.wikipedia.org/wiki/ Failure_mode_and_effects_analysis www.netspective.com 29
- 30. NETSPECTIVE Sampling of OSS / open standards Project / Standard Subject area D G Linux or Android Operating system OMG DDS (data distribution service) Publish and subscribe messaging AppWeb, Apache Web/app server OpenTSDB Time series database Open source project Mirth HL7 messaging engine Built on Mule ESB Alembic Aurion HIE, message exchange Successor to CONNECT HTML5, XMPP JSON , Various areas Don’t reinvent the wheel SAML, XACML Security and privacy DynObj, OSGi, JPF Plugin frameworks www.netspective.com Comments Open standard with open source implementations Build for extensibility 30
- 31. NETSPECTIVE OSS applicability to connectivity Physical • Wired, wireless (WiFi, cellular, etc.) Logical • Device Gateway Data Routers Systems Structural • Security, Numbers, Units of Measure, etc. Semantic • Presence, Vitals, Glucose, Heartbeats, etc. www.netspective.com 31
- 32. NETSPECTIVE OSS applicability to manageability Security • Is the device authorized? Teaming Inventory • Device grouping • Where is the device? Presence • Is a device connected? www.netspective.com 32
- 33. NETSPECTIVE OSS enables extensible devices Legacy Devices www.netspective.com Future Devices 33
- 34. NETSPECTIVE Shahid’s “Ultimate Connectivity Architecture” 5 Device Components Sensors Storage Display Web Server, IM Client • Presence 6 • Messaging • Registration • JDBC, Query Plugins 3rd Party Plugins App #1 App #2 7 4 Connectivity Layer (DDS, HTTP, XMPP) 3 Plugin Container 2 1 Security and Management Layer Device OS Event Architecture Location Aware (QNX, Linux, Windows) SSL VPN Healthcare Enterprise 8 Patient Context Device Gateway (DDS, ESB) Inventory Notifications Cloud Services Data Transformation (ESB, HL7) Management Dashboards www.netspective.com Workflow 9 Enterprise Data 34
- 35. NETSPECTIVE OSS in Ultimate Architecture Core Connectivity is built-in, not added Device Components Think about Plugins from day 1 Build on Open Source Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) Don’t create your own OS! www.netspective.com Security and Management Layer Create code as a last resort Security isn’t added later 35
- 36. NETSPECTIVE OSS enables plugin architecture Device Components 3rd Party Plugins App #1 App #2 Plugins Event Architecture Location Aware Plugin Container Device OS (QNX, Linux, Windows) www.netspective.com Connectivity Layer (DDS, HTTP, XMPP) Security and Management Layer 36
- 37. NETSPECTIVE OSS in connectivity components Surveillance & “remote display” Remote Access Alarms Device Components Design all functions as plugins Event Viewer Web Server, IM Client • Presence • Messaging • Registration • JDBC, Query Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) www.netspective.com Security and Management Layer 37
- 38. NETSPECTIVE OSS in device components Virtualize! Device Components Sensors “On Device” Workflow Patient Context, too www.netspective.com Storage Web Server, IM Client Display Event Architecture Location Aware 3rd Party Plugins Plugins Connectivity Layer (HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) Security and Management Layer 38
- 39. NETSPECTIVE OSS enables enterprise integration Device Teaming Cloud Services Patient Self-Management Platforms SSL VPN Patient Context Monitoring BaaS Gateway (DDS, XMPP ESB) , Device Data Data Transformation (ESB, HL7) Remote Surveillance Management Dashboards HIT Integration Report Generation Device reimbursement www.netspective.com Enterprise Data RCM, Financials, EHRs Device Management Cross Device App Workflows Device Utilization Device profitability Alarm Notifications Device Inventory 39