How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

How to Use Open Source Technologies in
Safety-critical Health Applications
3rd Annual OSEHRA Summit
Shahid N. Shah
Chairman of OSEHRA Advisory Board

View Slide

NETSPECTIVE
www.netspective.com 2
Who is Shahid?
• Chairman, OSEHRA Board of Advisors
• 20+ years of software engineering and
multi-discipline complex IT implementations
(Gov., defense, health, finance, insurance)
• 12+ years of healthcare IT and medical
devices experience (blog at
http://healthcareguy.com)
• 15+ years of technology management
experience (government, non-profit,
commercial)
Author of Chapter 13, “You’re
the CIO of your Own Office”

View Slide

NETSPECTIVE
Outcomes driven care is in our future

View Slide

NETSPECTIVE
Open source software (OSS) is in our future
• You’re moving from standalone boxes to fully integrated
systems
• mHealth demands more interoperability
• Your customers demand flexible workflows with enhanced
functionality
• Your customer demand data integration with their systems
• Security of medical devices is under great scrutiny and
excuses aren’t going to be accepted

View Slide

NETSPECTIVE
The new realities of patient populations
• Obesity Management
• Wellness Management
• Assessment – HRA
• Stratification
• Dietary
• Physical Activity
• Physician Coordination
• Social Network
• Behavior Modification
• Education
• Health Promotions
• Healthy Lifestyle Choices
• Health Risk Assessment
• Diabetes
• COPD
• CHF
• Stratification & Enrollment
• Disease Management
• Care Coordination
• MD Pay-for-Performance
• Patient Coaching
• Physicians Office
• Hospital
• Other sites
• Pharmacology
• Catastrophic Case
Management
• Utilization Management
• Care Coordination
• Co-morbidities
Prevention Management
26 % of Population
4 % of Medical Costs
35 % of Population
35 % of Population
4% of Population
Source: Amir Jafri, PrescribeWell

View Slide

NETSPECTIVE
Customers are struggling with Accountable Tech
Cost per patient per
procedure / treatment
going up but without
ability to explain why
Cost for same
procedure / treatment
plan highly variable
across localities
Unable to compare
drug efficacy across
patient populations
Unable to compare
health treatment
effectiveness across
patients
Variability in fees and
treatments promotes
fraud
Lack of visibility of
entire patient record
causes medical errors
Everything your app/device does to help answer important questions below means more sales and better margins

View Slide

NETSPECTIVE
Opportunities for incremental or new revenue
Fill clinical
documentation
into EHRs
Improve alarm
notification
Review and
perform complex
event processing
Add signal/data
processing for new
parameters
Remotely upgrade
and service
equipment
Automate clinical
workflows
Remote
surveillance
Gateways and
interoperability
appliances

View Slide

NETSPECTIVE
Wireless BAN Ecosystem is complex without OSS
Source: Qualcomm

View Slide

NETSPECTIVE
Data is getting more sophisticated, analysis even more so
Proteomics
Genomics
Biochemical
Behavioral
Phenotypics
Economics
It’s hard today but will be even harder tomorrow
IOT sensors
Administrative

View Slide

NETSPECTIVE
Implications of healthcare trends
PPACA ACO
MU PCMH
Health
Home
mHealth
DATA
Evidence Based Medicine
Comparative Effectiveness
Software
Regulated IT and Systems
Integration Services

View Slide

NETSPECTIVE
What’s being offered to users What users really want
What users want vs. what they’re offered
Data visualization requires integration and aggregation

View Slide

NETSPECTIVE
Evolving Healthcare IT Enterprise Architecture
You need to fit into a complex environment
Cloud
Services
Management
Dashboards
Data Transformation (ESB, HL7)
BaaS Gateway
(DDS, XMPP
, ESB)
Enterprise Data
RCM, Financials,
EHRs
Device Inventory
Cross Device
App Workflows
Alarm
Notifications
Patient Context
Monitoring
Device
Teaming
Device
Management
Report
Generation
HIT
Integration
Remote
Surveillance
Device
Data
SSL VPN
Patient
Self-Management
Platforms
Device Utilization
Device reimbursement
Device profitability

View Slide

• Should medical device and health IT vendors
be using open source to implement their
safety-critical requirements?
• How about contributing to open source
projects?
• How about creating their own open source
projects?

View Slide

Yes!
• If you’re not using open source projects in your
own devices then you’re doing far more
engineering work than is necessary.
• If you’re not contributing to open source then
you’re not making code you rely on better.
• If you’re not creating open source then you’re
missing a valuable marketing opportunity.

View Slide

NETSPECTIVE
Connectivity is a must, OSS is answer
Most obvious benefit Least attention
Most promising
capability
This talk focuses on
connected devices

View Slide

NETSPECTIVE
Smart buyers looking for poly-connectivity
Device
Hospital
Network
Corporate
Gateway
External
Cloud
Hospital
Systems
Option 1 (no cellular access or hospital IT integration required)
Device
External
Cloud
Option 2 (cellular access and no hospital IT integration required)
DDS
REST
HL7
X.12
DDS REST
MPEG-21
MPEG-21
Could be a Home
Network, too
Wired
Wireless
Bluetooth,
WiFi, Zibee, etc.
Wireless, Cellular

View Slide

NETSPECTIVE
Appreciate tradeoffs
Integration-
friendliness Ease of
validation
The more connection-
friendly a device, the
harder it is to validate it
Lesson: Demand Testability

View Slide

NETSPECTIVE
Regulatory Strategy
510(k) PMA,
Class 3, Class 2,
etc.
Unregulated
EHR or others
510(k)
Class 2
“Data Bridges”
“Everything else”
Customer registry
Patient registry
Patient profile
Study Management
Billing
“The Device”
Class 1
MDDS

View Slide

NETSPECTIVE
What are we afraid of when it comes to OSS?
Compliance
Will the FDA and other
regulators accept open
source code in safety-
critical systems?
Reliability
Is open source code safe
enough for medical
devices?

View Slide

Yes, of course.
Proof: we did it at American Red Cross in 1996 for a Class 3
device built on a modern enterprise IT ecosystem
Lesson: Risk managers and quality leadership often use
regulators as an excuse to prevent OSS use because of OSS
illiteracy, not legitimate strategy or actual evidence of harm.
Reality: Regulators don’t care about your use of open source,
they care about safe systems that meet intended use.

View Slide

NETSPECTIVE
Code you write is not necessarily safer
Modern IT systems’ custom
components
There is significantly more and better
testing of large open source projects
than you could ever do
In an integrated ecosystem, you have to
learn how to rely on others and do so
safely and effectively

View Slide

NETSPECTIVE
It’s not as hard as we think…
• Modern real-time operating systems (open source and
commercial) are reliable for safety-critical medical-grade
requirements.
• Open standards such as TCP/IP
, DDS, HTTP
, and XMPP can
pull vendors out of the 1980’s and into the 1990’s. 
• Open source and open standards that promote enterprise IT
connectivity can pull vendors into the 2010’s and beyond.

View Slide

How to start using OSS immediately

View Slide

NETSPECTIVE
Remove OSS illiteracy from decision making
Understand open
source licensing,
remove the fear of
IP loss
Understand where
code is coming
from and what test
harnesses included
Get in touch with
the open source
developers to find
out the current
utilization

View Slide

NETSPECTIVE
Choose the right OSS projects
Requirements
traceability
possible?
Code reviews
conducted by OSS
code authors?
Unit testing
conducted by
authors?
Continuous
integration system
employed?
Integration testing
conducted?
Performance
testing
conducted?
Safety testing
conducted?
Security testing
conducted?

View Slide

NETSPECTIVE
Engender trust in the code’s provenance
Connect to
the revision
control
system of the
open source
project
Create your
own binaries
Create a
process to
securely sign
the binaries
Create your
own
deployment
packages

View Slide

NETSPECTIVE
Integrate OSS into your QSR process
Employ continuous
integration (CI) for
your own and OSS
project components
Create a process to
test the binaries
using code
coverage tools
Conduct continuous
hazard and risk
analysis of outside
code
Keep an eye on
changes coming in
from the source and
retest regularly
Review your process
with the compliance
officers and get
their regular buy in

View Slide

NETSPECTIVE
But it’s not easy either…we need
Risk
Assessments
Hazard Analysis
Design for
Testability
Design for
Simulations
Documentation Traceability
Mathematical
Proofs
Determinism
Instrumentation
Theoretical
foundations

View Slide

NETSPECTIVE
OSS hazard and risk assessment
• What is the intended use for the device or system?
• How will the OSS product you’re planning to use going to be
tied to your intended use?
• What is the risk associated with the OSS product for that
particular intended use?
R = Sh
x Ph

View Slide

NETSPECTIVE
Risk is related to severity and harm
R = Sh
x Ph
R = risk
Sh
= severity of harm
Ph
= probability of harm
• Harm is damage done to a person
• Severity is the degree of harm done
• Probability is the frequency and duration of exposure

View Slide

NETSPECTIVE
Examples of Severity & Probability
Severity
• multiple fatalities
• fatalities
• severe injury (non-reversible, requires
hospitalization)
• moderate injury (reversible, requires
hospitalization)
• minor (reversible, requires first aid)
• very minor (no first aid)
Probability
• Constant exposure
• Hourly
• Daily
• Weekly
• Monthly
• Yearly
• Never

View Slide

NETSPECTIVE
Formal risk assessment methods
What-if analysis
Preliminary
hazard analysis
(PHA)
Failure modes
and effects
analysis (FMEA)
Fault tree
analysis (FTA)
Hazard and
operability
studies

View Slide

NETSPECTIVE
OSS Risk analysis steps - FMEA
• Define the function of the OSS product being analyzed.
• Identify potential failures of the OSS.
• Determine the causes of each failure types.
• Determine the effects of potential failures.
• Assign a risk index to each of the failure types.
• Determine the most appropriate corrective/preventive
actions.
• Monitor the implementation of the corrective/preventive to
ensure that it is having the desired effect.

View Slide

NETSPECTIVE
Good summary of FMEA
• http://en.wikipedia.org/wiki/
Failure_mode_and_effects_analysis

View Slide

NETSPECTIVE
Sampling of OSS / open standards
Project / Standard Subject area D G Comments
Linux or Android Operating system  
OMG DDS (data
distribution service)
Publish and subscribe
messaging
  Open standard with open
source implementations
AppWeb, Apache Web/app server  
OpenTSDB Time series database  Open source project
Mirth HL7 messaging engine  Built on Mule ESB
Alembic Aurion HIE, message exchange  Successor to CONNECT
HTML5, XMPP
, JSON Various areas   Don’t reinvent the wheel
SAML, XACML Security and privacy  
DynObj, OSGi, JPF Plugin frameworks   Build for extensibility

View Slide

NETSPECTIVE
OSS applicability to connectivity
Physical
• Wired, wireless (WiFi, cellular, etc.)
Logical
• Device  Gateway  Data Routers  Systems
Structural
• Security, Numbers, Units of Measure, etc.
Semantic
• Presence, Vitals, Glucose, Heartbeats, etc.

View Slide

NETSPECTIVE
OSS applicability to manageability
Security
• Is the device
authorized?
Inventory
• Where is the device?
Presence
• Is a device connected?
Teaming
• Device grouping

View Slide

NETSPECTIVE
OSS enables extensible devices
Legacy
Devices
Future
Devices

View Slide

NETSPECTIVE
Device Components 3rd Party Plugins
App
#1
App
#2
Security and Management Layer
Device OS
(QNX, Linux, Windows)
Sensors Storage Display Plugins
Web Server, IM Client
Connectivity Layer (DDS, HTTP, XMPP)
• Presence
• Messaging
• Registration
• JDBC, Query
Cloud
Services
Management
Dashboards
Device Gateway (DDS, ESB)
Healthcare Enterprise
Enterprise
Data
Shahid’s “Ultimate Connectivity Architecture”
Plugin Container
Event Architecture
Inventory
Workflow
Notifications
Patient Context
Location
Aware
1 2
3
4
5
6
7
8
9
SSL VPN

View Slide

NETSPECTIVE
OSS in Ultimate Architecture Core
Device Components
Device OS
Plugin Container
Don’t create
your own OS!
Security isn’t
added later
Think about
Plugins from day 1
Connectivity is
built-in, not added
Build on
Open Source
Create code as
a last resort

View Slide

NETSPECTIVE
OSS enables plugin architecture
App
#1
App
#2
Device OS
Plugins
Plugin Container
Event Architecture
Location
Aware

View Slide

NETSPECTIVE
OSS in connectivity components
Device Components
Device OS
• Presence
• Messaging
• Registration
• JDBC, Query
Plugin Container
Surveillance &
“remote display”
Remote Access
Alarms
Event Viewer
Design all functions
as plugins

View Slide

NETSPECTIVE
OSS in device components
Device OS
Sensors Storage Display Plugins
Connectivity Layer (HTTP, XMPP)
Plugin Container
Event Architecture
Location
Aware
Virtualize!
“On Device”
Workflow
Patient
Context, too

View Slide

NETSPECTIVE
OSS enables enterprise integration
Cloud
Services
Management
Dashboards
BaaS Gateway
(DDS, XMPP
, ESB)
Enterprise Data
RCM, Financials,
EHRs
Device Inventory
Cross Device
App Workflows
Alarm
Notifications
Patient Context
Monitoring
Device
Teaming
Device
Management
Report
Generation
HIT
Integration
Remote
Surveillance
Device
Data
SSL VPN
Patient
Self-Management
Platforms
Device Utilization
Device reimbursement
Device profitability

View Slide

Thank You
Visit
http://www.netspective.com
http://www.healthcareguy.com
E-mail [email protected]
Follow @ShahidNShah
Call 202-713-5409

View Slide

How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

How to Use Open Source Technologies in Safety-critical Digital Health Applications and Medical Device Software

Shahid N. Shah

More Decks by Shahid N. Shah

Other Decks in Business

Featured

Transcript