Tag

risk
By Ron Baerg and Mike Russell “You can pay me now, or you can pay me later” was the punch line of a memorable TV commercial by the FRAM® company about their oil filters around 50 years ago. The “me”: a car mechanic. Their point: paying (a little) now to replace your oil filter regularly...
Read More
In May 2023, FDA centers CDER and CBER released guidance on the integration of risk with quality management.  Per FDA, these “principles and examples of tools for quality risk management that can be applied to different aspects of pharmaceutical quality.”  The guidance covers the general quality risk management process but discusses the roles and responsibilities...
Read More
Software risk analysis requires consideration of both the development process itself and the runtime environment.
Read More
Crisis Prevention and Recovery, LLC / SoftwareCPR, Tampa, FL USA – (November 22, 2022) “We are pleased to announce that our Partner and General Manager, Brian Pate, has been selected  for membership on the UL 1998 Standards Technical Panel for Software (STP), with oversight of UL 1998 standard, Software in Programmable Components.  Brian will provide stakeholder input to...
Read More
On November 15, 2022, I had the pleasure to log in to a “live” FDA CDRH Industry Basics Seminar on Understanding Risk with Medical Devices.  You can view the workshop at this link: https://fda.yorkcast.com/webcast/Play/4aecf454d2d54039a1d5a6a3001d78c31d I did enjoy the materials presented and I do think the presenters Joseph and Tonya did a great job. I would recommend...
Read More
Crisis Prevention and Recovery, LLC / SoftwareCPR, Tampa, FL USA – (November 15, 2022) “We are pleased to announce that our partner, Dr Peter Rech, has been reappointed to serve the next 3 years as convener for IEC technical committee 62/SC 62D/MT23 Infusion Pumps.  In this role, Dr Rech will be responsible for organizing and administering...
Read More
ISO 14971:2019 Medical Device Risk Management, A Software Organization’s Perspective Public Training Course DATES:  Jan 9-11, 2023 Includes “how to” for application of IEC 62304 for software risk management! COST: 3 Full Days for $2,995 DISCOUNTS: 3 or more students from same company: 10% discount (off full registration) November 2022 Early Registration:  $2,395 Register at...
Read More
A course dedicated to “SaMD Risk Management Training?” Yes and much more! More discussion on Risk Management Training between our General Manager, Brian Pate, and our Partner, Dr. Peter Rech, regarding our January 2023 public training course on the application of ISO 14971 and IEC 62304 to system risk analysis and software risk analysis.  Our...
Read More
I recently spoke with Dr. Peter Rech about the 2019 update to ISO 14971 as he and I prepare for our upcoming public training course on January 9-11, 2023, in Tampa, Florida USA.  Registration information can be found at this post: 14971 Risk Management Training Course If you would like more information on applying IEC 62304...
Read More
The US FDA announced on December 21, 2021, a cybersecurity alert for the Fresenius Kabi Agilia Connect Infusion System.  The announcement referenced a Cybersecurity and Infrastructure Security Agency (CISA) publication of a vulnerability disclosure ICSMA-21-355-01 on the Fresenius Kabi Agilia Connect Infusion System. Successful remote exploitation of these vulnerabilities could allow an attacker to gain...
Read More
AAMI Post Market Risk Management Report
Read More
This content is only available to our Premium subscribers. See our Subscribe page for information on subscriptions. ISO 14971 was updated and released in 2019.  We previously discussed the internal debate regarding ISO 14917 in this post ISO 14971 versus the EU Commission. There are several items to consider with the new update: Section 10.1 - “The manufacturer...
Read More
Understanding OTS and SOUP is very important in every lifecycle stages of medical device and HealthIT software development.  In the late 1990’s, the US FDA first published guidance documentation on the use of Off-The-Shelf (OTS) software in medical devices (or sometimes referred to as “OTSS”).  At that time, OTSS generally accounted for a very small...
Read More
ISO 14971 Risk Analysis Identifying safety risks in medical devices is a challenging and laborious process.  The process standard, ISO 14971, is a systematic, total product risk management lifecycle process to identify, control, and evaluate risk, where risk is defined as the combination of severity of the harm (to people, property, or environment) and probability...
Read More
A probe into a series of engine failures on Airbus’s smallest jet, the A220, is studying whether a software change set off unexpected vibrations that damaged fast-moving parts and forced three emergency landings. Investigators are focusing their attention on recent changes in engine software that may have caused parts that compress air inside the engine...
Read More
The 2015 Amendment 1 update to IEC 62304 added a new clause that requires identification of “categories of defects associated with the selected programming technology” and providing analysis and other evidence demonstrating “that these defects do not contribute to unacceptable risk.”  Read a recent article on challenges with using C language.
Read More
The US Defense Advanced Research Projects Agency (DARPA) have released a solicitation for the “Automated Rapid Certification of Software (ARCOS)” project.  The project goal is to automate system risk assessment based on software assurance.  The project recognizes that current practices in this area rely upon human judgement which can be prone to error but also...
Read More
The West Australian reported that two autonomous haulage systems (AHS) trucks experienced a collision when one of the trucks backed into the cab of the second truck that was stationary at the time.  This is of interest to us as the AHS trucks are software controlled and they crashed.  Clearly a failure mode.  The initial report is...
Read More
FDA issued a Safety Communication on January 31, 2019, (see Safety Communication Link) warning of the risk of air being introduced in a blood vessel (air-in-line) and air embolism for infusion pumps, fluid warmers, rapid infusers, and accessory devices.  This communication is directed toward users (both clinical and service personnel) and patients.  However, what can system architects,...
Read More
The Verily Study Watch is a device worn on the wrist that digitizes patient physiologic measurements and processes the raw data through algorithms both on the wrist worn device and additional processing when communicated to cloud based computing systems.  The idea is that the Verily watch would be worn similar (or as!) a consumer device...
Read More
What concerns FDA when conducting a benefit-risk assessment of medical devices?  The answer is a long list of variables that can vary by type of device, target population, and indications for use, but the clear focus is on patient safety and benefit. The FDA considers both the device benefit-risk assessment, as well as evidence and...
Read More
This update addresses International and US National medical device standards ("a view of the landscape") being developed or revised that may be of interest to developers of software for medical devices or healthcare. Some of these standards are used directly for regulatory purposes and others may be valuable in demonstrating to regulatory authorities that a...
Read More
Here are some thoughts from a recent conversation between Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR®: Cybersecurity vulnerabilities can have unpredictable effects on safety.  Unpredictable effects … to those who have worked to reduce risks of software failures in medical device software, that phrase may be familiar.  That concept is explained in relation to...
Read More
FDA, together with the National Science Foundation (NSF) and the Department of Homeland Security Science, and Technology, held a public workshop May 18-19, 2017. Results of this workshop, including webcasts of the sessions, are at the FDA website. Public Workshop – Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, May 18-19, 2017
Read More
Although IEC 82304-1 Health Software: General requirements for safety has been published it is not clear when it will be harmonized in the EU. Nonetheless it appears EU notified bodies are treating it as “state-of-the-art” and are likely to expect it to be used for software products that are regulated as medical devices. IEC TR...
Read More
Sherman Eagles of SoftwareCPR® recently coauthored an article published by AAMI in the Jan/Feb 2016 BIT Journal entitled “Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality.”  You can read the article at this link: 2016 Jan-Feb BIT Cybersecurity Sherman is well known as an expert in medical device standards and has been involved in many...
Read More
NOTE: This is for historical reference as a final guidance was issued Sept 2017 and is posted separately. FDA issued a new draft guidance entitled “Design Considerations and Pre- market Submission Recommendations for Interoperable Medical Devices”. This guidance addresses medical devices that exchange information whether wired or wireless including through the internet. It includes unidirectional...
Read More
Note:  This draft is OBSOLETE and included only for historical reference only.  Look for the final draft elsewhere on this site. To view the guidance click this link:  2016-01-FDA Post market Cybersecurity draft guidance This guidance references a number of Presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA’s increased oversight...
Read More
Stan Hamilton and Brian Pate of SoftwareCPR offer the following tip. As risk managers, we often struggle to draw the line for inclusion of foreseeable misuse. We ask questions like what is credible, and how far must you go? When performing risk analysis, we decide if it is credible enough to list as a hazard...
Read More
In SoftwareCPR’s opinion, a somewhat unique, very well conceived, and well designed tool for the specialized craft of risk analysis as well as safety assurance cases.  The tool is very configurable, allowing customized structures for your own methods.  The ability to view data from an FMEA, FTA, or table view saves valuable time during creation...
Read More
Sherman Eagles of SoftwareCPR co-authored AAMI’s recently published article “Reducing Risks and Recalls: Safety Assurance Cases For Medical Devices” in the January/February 2014 issue of BI&T (Biomedical Instrumentation & Technology; a monthly, peer-reviewed journal from the Association for the Advancement of Medical Instrumentation). The full article is posted with permission at the link provided. Any...
Read More
AAMI recently published “Assessing a Hospital’s Medical IT Network Risk Management Practice with 80001-1” in Biomedical Instrumentation & Technology (BI&T). The article reports on an actual hospital network/health IT assessment using 80001-1 as one of the tools for the assessment.
Read More
A January 2014 ACM Journal has an interesting article on software verification at NASA JPL for the Mars Curiosity Rover at the link provided. A few things that I found interesting: Their standard for flight software is ISO-C99. The coding standard at JPL (http://lars-lab.jpl.nasa.gov/JPL_Coding_Standard_C.pdf) is risk-based and has 6 “levels of compliance”. LOC-5 and LOC-6...
Read More
A 2003 computer science thesis done at the University of York entitled “The Safety of Software — Constructing and Assuring Arguments” is at the link provided. Software Safety Cases – PhD Thesis
Read More
Risk/hazard analysis for medical devices and their software require extensive analysis, documentation, and maintenance of complex information. Creation and maintenance of extensive tables, fault tree, and HAZOP diagrams can seem overwhelming. For complex and high risk systems the information can be voluminous and software tools can be very productive. Trace tools such as DOORS, CALIBER-RM,...
Read More
This content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions. A new work item and draft technical report for guidance in implementing IEC 80001-1:2010. This TR provides practical guidance for doing risk management for hospital networks.The report is at the link provided until the review period ends on 24-Feb-2011. IEC...
Read More
On February 20, 2003, a final security rule 45 CFR Part 142 was issued. Subsequently HHS issued a series of educational documents regarding various aspects of the rule including administrative controls, physical controls, technical safeguards, risk management and others.  
Read More
The Carnegie Mellon Software Engineering Institute continued work on safety assurance cases for medical devices by publishing a paper entitled “Towards an Assurance Case Practice for Medical Devices” doing an example case for an infusion pump. The full article is at the link provided. Although this is intended uses infusion pumps as an example it...
Read More
This topic includes links to software safety guidance from other safety related industries that have useful information that could be applied to medical device software. All of these and sometimes others are in the document library section of the website.
Read More
This content is only available to Premium and higher subscribers.  See our Subscribe page for information on subscriptions. The attached pdf is a SoftwareCPR training aide and should not be used blindly to fill in the blanks. It is a partial example of a software risk analysis procedure and report. It is just one partial approach that...
Read More
The Carnegie Mellon Software Engineering Institute performs a number of research projects each year. Their december report on these projects is at the link provided. One of the projects was on safety cases for medical devices. Sherman Eagles of SoftwareCPR and Paul Jones of FDA participated in this project.TECHNICAL REPORT CMU/SEI-2008-TR-025 ESC-TR-2008-025 SEI assurance case...
Read More
The pdf at the link provided is a reprint of 2 articles entitled “Sensible Software Testing” parts 1 and 2, with the permission of the author Sean Beatty of High Impact Services. Mr. Beatty was a member of the working group that developed AAMI TIR32: Medical Device Software Risk Management. He is very experienced in...
Read More
The pdf at the link provided is a reprint of an article entitled “Sensible Software Testing” with the permission of the author Sean Beatty of High Impact Services. Mr. Beatty was a member of the working group that developed AAMI TIR32: Medical Device Software Risk Management. He is very experienced in embedded programming and this...
Read More
With the permission of Oliver Christ of PROSYSTEM AG in Hamburg, Germany, you can view or download slides at the link provided entitled: Cost-effective Application of Usability Engineering and Risk-Management. Oliver and his partner are heavily involved in standards and these slides provide an excellent overview of medical device usability, software, and risk management standards...
Read More
This content is only available to Premium and higher subscribers.  See our Subscribe page for information on subscriptions. Prepared this example Device Risk Management SOP for the purpose of risk analysis training where the pros and cons could be further discussed.  This example is modeled on the approach required by ISO 14971 and expands on it with...
Read More
Dr. Nancy Leveson of MIT indicated that there are some new papers involving a demonstration of STAMP (and STPA) being used for safety-driven design of a new JPL mission to Europa including a very complete example. A JPL modeling language was incorporated (JPL was funding the work), but had little to do with the final...
Read More
This content is only available to Premium and higher subscribers.  See our Subscribe page for information on subscriptions. Crimson Life Sciences which performs language translations for labeling and user interfaces was assessed by Underwriters Laboratory for conformance with the ISO 14971 Medical Device Risk Management standard. The summary of the audit results is available at this link...
Read More
The US Department of Homeland Security (DHS) released software security information via a webpage, initiatives, and various documents related to software security. Some of this information (such as the paper on Security in a Software Lifecycle) may aid medical device IT and device software developers in designing in appropriate security and privacy measures to ensure...
Read More
The pdf at the link provided is a reprint of an article entitled “Risk-Based Validation of Multilingual Medical Devices” co-authored by Alan Kusinitz, Managing Partner of SoftwareCPR, and Kai Simonsen of the Crimson Life Sciences division Transperfect Translations for the AAMI Biomedical Instrumentation and Technology journal and published in the Summer of 2007. Reprinted with...
Read More
This content is only available to Premium and higher subscribers.  See our Subscribe page for information on subscriptions. The pdf at the link provided is a reprint of an article entitled "Uses and Misuses of Probability in Medical Device Risk Management" authored by Alan Kusinitz, Managing Partner of SoftwareCPR, for the AAMI Biomedical Instrumentation and Technology journal...
Read More
1 2

SoftwareCPR Training Courses:

Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offerings:

  • Americas: 11-13 February 2025
  • EU/Eastern Europe/Middle East/Africa/Atlantic/eastern South America: 18-20 February 2025
  • Southern Central Northeastern Pacific: 24-26 February 2025
See our post titled: 1st Quarter 2025 Agile Compliant Courses Scheduled

 

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 24-26, 2025 (Boston, MA)

Special pre-registration discount through January 31, 2025

Private, in-house courses can be scheduled. Contact us.

Email training@softwarecpr.com for more info.

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.