How to Use Open Source Technologies in Safety-critical Medical Device Platforms

3962189473d062fdc76ce9a07cbe89fd?s=47 Shahid N. Shah
September 18, 2013

How to Use Open Source Technologies in Safety-critical Medical Device Platforms

There is a great deal of fear and angst in the medical device vendor community about the use open source in safety-critical products. This presentation provides advice on why the fear is misplaced and how to proceed with using open source in safety-critical medical devices.

3962189473d062fdc76ce9a07cbe89fd?s=128

Shahid N. Shah

September 18, 2013
Tweet

Transcript

  1. Open Source Software (OSS) and Technologies in Safety-critical Medical Device

    Platforms Using Open Source to Design Connected Medical Devices Shahid N. Shah, CEO
  2. NETSPECTIVE www.netspective.com 2 Who is Shahid? • Chairman, OSEHRA.org Board

    of Advisors • 20+ years of software engineering and multi-discipline complex IT implementations (Gov., defense, health, finance, insurance) • 12+ years of healthcare IT and medical devices experience (blog at http://healthcareguy.com) • 15+ years of technology management experience (government, non-profit, commercial) Author of Chapter 13, “You’re the CIO of your Own Office”
  3. NETSPECTIVE www.netspective.com 3 Open source software (OSS) is in your

    future • You’re moving from standalone boxes to fully integrated systems • mHealth demands more interoperability • Your customers demand flexible workflows with enhanced functionality • Your customer demand data integration with their systems • Security of medical devices is under great scrutiny and excuses aren’t going to be accepted
  4. NETSPECTIVE www.netspective.com 4 The new realities of patient populations •

    Obesity Management • Wellness Management • Assessment – HRA • Stratification • Dietary • Physical Activity • Physician Coordination • Social Network • Behavior Modification • Education • Health Promotions • Healthy Lifestyle Choices • Health Risk Assessment • Diabetes • COPD • CHF • Stratification & Enrollment • Disease Management • Care Coordination • MD Pay-for-Performance • Patient Coaching • Physicians Office • Hospital • Other sites • Pharmacology • Catastrophic Case Management • Utilization Management • Care Coordination • Co-morbidities Prevention Management 26 % of Population 4 % of Medical Costs 35 % of Population 22 % of Medical Costs 35 % of Population 37 % of Medical Costs 4% of Population 36 % of Medical Costs Source: Amir Jafri, PrescribeWell
  5. NETSPECTIVE www.netspective.com 5 Wireless BAN Ecosystem is complex without OSS

    Source: Qualcomm
  6. NETSPECTIVE www.netspective.com 6 Data is getting more sophisticated, analysis even

    more so Proteomics Genomics Biochemical Behavioral Phenotypics Economics It’s hard today but will be even harder tomorrow IOT sensors Administrative
  7. NETSPECTIVE www.netspective.com 7 Implications of healthcare trends PPACA ACO MU

    PCMH Health Home mHealth DATA Evidence Based Medicine Comparative Effectiveness Software Regulated IT and Systems Integration Services
  8. NETSPECTIVE www.netspective.com 8 What’s being offered to users What users

    really want What users want vs. what they’re offered Data visualization requires integration and aggregation
  9. NETSPECTIVE www.netspective.com 9 Evolving Healthcare IT Enterprise Architecture You need

    to fit into a complex environment Cloud Services Management Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability
  10. www.netspective.com 10 • Should medical device vendors be using open

    source to implement their safety- critical requirements? • How about contributing to open source projects? • How about creating their own open source projects?
  11. www.netspective.com 11 Yes! • If you’re not using open source

    projects in your own devices then you’re doing far more engineering work than is necessary. • If you’re not contributing to open source then you’re not making code you rely on better. • If you’re not creating open source then you’re missing a valuable marketing opportunity.
  12. NETSPECTIVE www.netspective.com 12 Connectivity is a must, OSS is answer

    Most obvious benefit Least attention Most promising capability This talk focuses on connected devices
  13. NETSPECTIVE www.netspective.com 13 Appreciate tradeoffs Integration- friendliness Ease of validation

    The more connection- friendly a device, the harder it is to validate it Lesson: Demand Testability
  14. NETSPECTIVE www.netspective.com 14 What are we afraid of when it

    comes to OSS? Compliance Will the FDA and other regulators accept open source code in safety- critical systems? Reliability Is open source code safe enough for medical devices?
  15. www.netspective.com 15 Yes, of course. Proof: we did it at

    American Red Cross in 1996 for a Class 3 device built on a modern enterprise IT ecosystem Lesson: Risk managers and quality leadership often use regulators as an excuse to prevent OSS use because of OSS illiteracy, not legitimate strategy or actual evidence of harm. Reality: Regulators don’t care about your use of open source, they care about safe systems that meet intended use.
  16. NETSPECTIVE www.netspective.com 16 Code you write is not necessarily safer

    Modern IT systems’ custom components There is significantly more and better testing of large open source projects than you could ever do In an integrated ecosystem, you have to learn how to rely on others and do so safely and effectively
  17. NETSPECTIVE www.netspective.com 17 It’s not as hard as we think…

    • Modern real-time operating systems (open source and commercial) are reliable for safety-critical medical-grade requirements. • Open standards such as TCP/IP , DDS, HTTP , and XMPP can pull vendors out of the 1980’s and into the 1990’s.  • Open source and open standards that promote enterprise IT connectivity can pull vendors into the 2010’s and beyond.
  18. How to start using OSS immediately

  19. NETSPECTIVE www.netspective.com 19 Remove OSS illiteracy from decision making Understand

    open source licensing, remove the fear of IP loss Understand where code is coming from and what test harnesses included Get in touch with the open source developers to find out the current utilization
  20. NETSPECTIVE www.netspective.com 20 Choose the right OSS projects Requirements traceability

    possible? Code reviews conducted by OSS code authors? Unit testing conducted by authors? Continuous integration system employed? Integration testing conducted? Performance testing conducted? Safety testing conducted? Security testing conducted?
  21. NETSPECTIVE www.netspective.com 21 Engender trust in the code’s provenance Connect

    to the revision control system of the open source project Create your own binaries Create a process to securely sign the binaries Create your own deployment packages
  22. NETSPECTIVE www.netspective.com 22 Integrate OSS into your QSR process Employ

    continuous integration (CI) for your own and OSS project components Create a process to test the binaries using code coverage tools Conduct continuous hazard and risk analysis of outside code Keep an eye on changes coming in from the source and retest regularly Review your process with the compliance officers and get their regular buy in
  23. NETSPECTIVE www.netspective.com 23 But it’s not easy either…we need Risk

    Assessments Hazard Analysis Design for Testability Design for Simulations Documentation Traceability Mathematical Proofs Determinism Instrumentation Theoretical foundations
  24. NETSPECTIVE www.netspective.com 24 OSS hazard and risk assessment • What

    is the intended use for the device or system? • How will the OSS product you’re planning to use going to be tied to your intended use? • What is the risk associated with the OSS product for that particular intended use? R = Sh x Ph
  25. NETSPECTIVE www.netspective.com 25 Risk is related to severity and harm

    R = Sh x Ph R = risk Sh = severity of harm Ph = probability of harm • Harm is damage done to a person • Severity is the degree of harm done • Probability is the frequency and duration of exposure
  26. NETSPECTIVE www.netspective.com 26 Examples of Severity & Probability Severity •

    multiple fatalities • fatalities • severe injury (non-reversible, requires hospitalization) • moderate injury (reversible, requires hospitalization) • minor (reversible, requires first aid) • very minor (no first aid) Probability • Constant exposure • Hourly • Daily • Weekly • Monthly • Yearly • Never
  27. NETSPECTIVE www.netspective.com 27 Formal risk assessment methods What-if analysis Preliminary

    hazard analysis (PHA) Failure modes and effects analysis (FMEA) Fault tree analysis (FTA) Hazard and operability studies
  28. NETSPECTIVE www.netspective.com 28 OSS Risk analysis steps - FMEA •

    Define the function of the OSS product being analyzed. • Identify potential failures of the OSS. • Determine the causes of each failure types. • Determine the effects of potential failures. • Assign a risk index to each of the failure types. • Determine the most appropriate corrective/preventive actions. • Monitor the implementation of the corrective/preventive to ensure that it is having the desired effect.
  29. NETSPECTIVE www.netspective.com 29 Good summary of FMEA • http://en.wikipedia.org/wiki/ Failure_mode_and_effects_analysis

  30. NETSPECTIVE www.netspective.com 30 Sampling of OSS / open standards Project

    / Standard Subject area D G Comments Linux or Android Operating system   OMG DDS (data distribution service) Publish and subscribe messaging   Open standard with open source implementations AppWeb, Apache Web/app server   OpenTSDB Time series database  Open source project Mirth HL7 messaging engine  Built on Mule ESB Alembic Aurion HIE, message exchange  Successor to CONNECT HTML5, XMPP , JSON Various areas   Don’t reinvent the wheel SAML, XACML Security and privacy   DynObj, OSGi, JPF Plugin frameworks   Build for extensibility
  31. NETSPECTIVE www.netspective.com 31 OSS applicability to connectivity Physical • Wired,

    wireless (WiFi, cellular, etc.) Logical • Device  Gateway  Data Routers  Systems Structural • Security, Numbers, Units of Measure, etc. Semantic • Presence, Vitals, Glucose, Heartbeats, etc.
  32. NETSPECTIVE www.netspective.com 32 OSS applicability to manageability Security • Is

    the device authorized? Inventory • Where is the device? Presence • Is a device connected? Teaming • Device grouping
  33. NETSPECTIVE www.netspective.com 33 OSS enables extensible devices Legacy Devices Future

    Devices
  34. NETSPECTIVE www.netspective.com 34 Device Components 3rd Party Plugins App #1

    App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Cloud Services Management Dashboards Data Transformation (ESB, HL7) Device Gateway (DDS, ESB) Healthcare Enterprise Enterprise Data Shahid’s “Ultimate Connectivity Architecture” Plugin Container Event Architecture Inventory Workflow Notifications Patient Context Location Aware 1 2 3 4 5 6 7 8 9 SSL VPN
  35. NETSPECTIVE www.netspective.com 35 OSS in Ultimate Architecture Core Device Components

    Security and Management Layer Device OS (QNX, Linux, Windows) Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Don’t create your own OS! Security isn’t added later Think about Plugins from day 1 Connectivity is built-in, not added Build on Open Source Create code as a last resort
  36. NETSPECTIVE www.netspective.com 36 OSS enables plugin architecture Device Components 3rd

    Party Plugins App #1 App #2 Security and Management Layer Device OS (QNX, Linux, Windows) Plugins Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Event Architecture Location Aware
  37. NETSPECTIVE www.netspective.com 37 OSS in connectivity components Device Components Security

    and Management Layer Device OS (QNX, Linux, Windows) Web Server, IM Client Connectivity Layer (DDS, HTTP, XMPP) • Presence • Messaging • Registration • JDBC, Query Plugin Container Surveillance & “remote display” Remote Access Alarms Event Viewer Design all functions as plugins
  38. NETSPECTIVE www.netspective.com 38 OSS in device components Device Components 3rd

    Party Plugins Security and Management Layer Device OS (QNX, Linux, Windows) Sensors Storage Display Plugins Web Server, IM Client Connectivity Layer (HTTP, XMPP) Plugin Container Event Architecture Location Aware Virtualize! “On Device” Workflow Patient Context, too
  39. NETSPECTIVE www.netspective.com 39 OSS enables enterprise integration Cloud Services Management

    Dashboards Data Transformation (ESB, HL7) BaaS Gateway (DDS, XMPP , ESB) Enterprise Data RCM, Financials, EHRs Device Inventory Cross Device App Workflows Alarm Notifications Patient Context Monitoring Device Teaming Device Management Report Generation HIT Integration Remote Surveillance Device Data SSL VPN Patient Self-Management Platforms Device Utilization Device reimbursement Device profitability
  40. Thank You Visit http://www.netspective.com http://www.healthcareguy.com E-mail shahid.shah@netspective.com Follow @ShahidNShah Call

    202-713-5409