$30 off During Our Annual Pro Sale. View Details »

How to Use Open Source Technologies in Safety-critical Medical Device Platforms

Shahid N. Shah
September 18, 2013

How to Use Open Source Technologies in Safety-critical Medical Device Platforms

There is a great deal of fear and angst in the medical device vendor community about the use open source in safety-critical products. This presentation provides advice on why the fear is misplaced and how to proceed with using open source in safety-critical medical devices.

Shahid N. Shah

September 18, 2013
Tweet

More Decks by Shahid N. Shah

Other Decks in Technology

Transcript

  1. Open Source Software (OSS) and Technologies
    in Safety-critical Medical Device Platforms
    Using Open Source to Design Connected Medical Devices
    Shahid N. Shah, CEO

    View Slide

  2. NETSPECTIVE
    www.netspective.com 2
    Who is Shahid?
    • Chairman, OSEHRA.org Board of Advisors
    • 20+ years of software engineering and
    multi-discipline complex IT implementations
    (Gov., defense, health, finance, insurance)
    • 12+ years of healthcare IT and medical
    devices experience (blog at
    http://healthcareguy.com)
    • 15+ years of technology management
    experience (government, non-profit,
    commercial)
    Author of Chapter 13, “You’re
    the CIO of your Own Office”

    View Slide

  3. NETSPECTIVE
    www.netspective.com 3
    Open source software (OSS) is in your future
    • You’re moving from standalone boxes to fully integrated
    systems
    • mHealth demands more interoperability
    • Your customers demand flexible workflows with enhanced
    functionality
    • Your customer demand data integration with their systems
    • Security of medical devices is under great scrutiny and
    excuses aren’t going to be accepted

    View Slide

  4. NETSPECTIVE
    www.netspective.com 4
    The new realities of patient populations
    • Obesity Management
    • Wellness Management
    • Assessment – HRA
    • Stratification
    • Dietary
    • Physical Activity
    • Physician Coordination
    • Social Network
    • Behavior Modification
    • Education
    • Health Promotions
    • Healthy Lifestyle Choices
    • Health Risk Assessment
    • Diabetes
    • COPD
    • CHF
    • Stratification & Enrollment
    • Disease Management
    • Care Coordination
    • MD Pay-for-Performance
    • Patient Coaching
    • Physicians Office
    • Hospital
    • Other sites
    • Pharmacology
    • Catastrophic Case
    Management
    • Utilization Management
    • Care Coordination
    • Co-morbidities
    Prevention Management
    26 % of Population
    4 % of Medical Costs
    35 % of Population
    22 % of Medical Costs
    35 % of Population
    37 % of Medical Costs
    4% of Population
    36 % of Medical Costs
    Source: Amir Jafri, PrescribeWell

    View Slide

  5. NETSPECTIVE
    www.netspective.com 5
    Wireless BAN Ecosystem is complex without OSS
    Source: Qualcomm

    View Slide

  6. NETSPECTIVE
    www.netspective.com 6
    Data is getting more sophisticated, analysis even more so
    Proteomics
    Genomics
    Biochemical
    Behavioral
    Phenotypics
    Economics
    It’s hard today but will be even harder tomorrow
    IOT sensors
    Administrative

    View Slide

  7. NETSPECTIVE
    www.netspective.com 7
    Implications of healthcare trends
    PPACA ACO
    MU PCMH
    Health
    Home
    mHealth
    DATA
    Evidence Based Medicine
    Comparative Effectiveness
    Software
    Regulated IT and Systems
    Integration Services

    View Slide

  8. NETSPECTIVE
    www.netspective.com 8
    What’s being offered to users What users really want
    What users want vs. what they’re offered
    Data visualization requires integration and aggregation

    View Slide

  9. NETSPECTIVE
    www.netspective.com 9
    Evolving Healthcare IT Enterprise Architecture
    You need to fit into a complex environment
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    BaaS Gateway
    (DDS, XMPP
    , ESB)
    Enterprise Data
    RCM, Financials,
    EHRs
    Device Inventory
    Cross Device
    App Workflows
    Alarm
    Notifications
    Patient Context
    Monitoring
    Device
    Teaming
    Device
    Management
    Report
    Generation
    HIT
    Integration
    Remote
    Surveillance
    Device
    Data
    SSL VPN
    Patient
    Self-Management
    Platforms
    Device Utilization
    Device reimbursement
    Device profitability

    View Slide

  10. www.netspective.com 10
    • Should medical device vendors be using
    open source to implement their safety-
    critical requirements?
    • How about contributing to open source
    projects?
    • How about creating their own open
    source projects?

    View Slide

  11. www.netspective.com 11
    Yes!
    • If you’re not using open source projects in your
    own devices then you’re doing far more
    engineering work than is necessary.
    • If you’re not contributing to open source then
    you’re not making code you rely on better.
    • If you’re not creating open source then you’re
    missing a valuable marketing opportunity.

    View Slide

  12. NETSPECTIVE
    www.netspective.com 12
    Connectivity is a must, OSS is answer
    Most obvious benefit Least attention
    Most promising
    capability
    This talk focuses on
    connected devices

    View Slide

  13. NETSPECTIVE
    www.netspective.com 13
    Appreciate tradeoffs
    Integration-
    friendliness Ease of
    validation
    The more connection-
    friendly a device, the
    harder it is to validate it
    Lesson: Demand Testability

    View Slide

  14. NETSPECTIVE
    www.netspective.com 14
    What are we afraid of when it comes to OSS?
    Compliance
    Will the FDA and other
    regulators accept open
    source code in safety-
    critical systems?
    Reliability
    Is open source code safe
    enough for medical
    devices?

    View Slide

  15. www.netspective.com 15
    Yes, of course.
    Proof: we did it at American Red Cross in 1996 for a Class 3
    device built on a modern enterprise IT ecosystem
    Lesson: Risk managers and quality leadership often use
    regulators as an excuse to prevent OSS use because of OSS
    illiteracy, not legitimate strategy or actual evidence of harm.
    Reality: Regulators don’t care about your use of open source,
    they care about safe systems that meet intended use.

    View Slide

  16. NETSPECTIVE
    www.netspective.com 16
    Code you write is not necessarily safer
    Modern IT systems’ custom
    components
    There is significantly more and better
    testing of large open source projects
    than you could ever do
    In an integrated ecosystem, you have to
    learn how to rely on others and do so
    safely and effectively

    View Slide

  17. NETSPECTIVE
    www.netspective.com 17
    It’s not as hard as we think…
    • Modern real-time operating systems (open source and
    commercial) are reliable for safety-critical medical-grade
    requirements.
    • Open standards such as TCP/IP
    , DDS, HTTP
    , and XMPP can
    pull vendors out of the 1980’s and into the 1990’s. 
    • Open source and open standards that promote enterprise IT
    connectivity can pull vendors into the 2010’s and beyond.

    View Slide

  18. How to start using OSS immediately

    View Slide

  19. NETSPECTIVE
    www.netspective.com 19
    Remove OSS illiteracy from decision making
    Understand open
    source licensing,
    remove the fear of
    IP loss
    Understand where
    code is coming
    from and what test
    harnesses included
    Get in touch with
    the open source
    developers to find
    out the current
    utilization

    View Slide

  20. NETSPECTIVE
    www.netspective.com 20
    Choose the right OSS projects
    Requirements
    traceability
    possible?
    Code reviews
    conducted by OSS
    code authors?
    Unit testing
    conducted by
    authors?
    Continuous
    integration system
    employed?
    Integration testing
    conducted?
    Performance
    testing
    conducted?
    Safety testing
    conducted?
    Security testing
    conducted?

    View Slide

  21. NETSPECTIVE
    www.netspective.com 21
    Engender trust in the code’s provenance
    Connect to
    the revision
    control
    system of the
    open source
    project
    Create your
    own binaries
    Create a
    process to
    securely sign
    the binaries
    Create your
    own
    deployment
    packages

    View Slide

  22. NETSPECTIVE
    www.netspective.com 22
    Integrate OSS into your QSR process
    Employ continuous
    integration (CI) for
    your own and OSS
    project components
    Create a process to
    test the binaries
    using code
    coverage tools
    Conduct continuous
    hazard and risk
    analysis of outside
    code
    Keep an eye on
    changes coming in
    from the source and
    retest regularly
    Review your process
    with the compliance
    officers and get
    their regular buy in

    View Slide

  23. NETSPECTIVE
    www.netspective.com 23
    But it’s not easy either…we need
    Risk
    Assessments
    Hazard Analysis
    Design for
    Testability
    Design for
    Simulations
    Documentation Traceability
    Mathematical
    Proofs
    Determinism
    Instrumentation
    Theoretical
    foundations

    View Slide

  24. NETSPECTIVE
    www.netspective.com 24
    OSS hazard and risk assessment
    • What is the intended use for the device or system?
    • How will the OSS product you’re planning to use going to be
    tied to your intended use?
    • What is the risk associated with the OSS product for that
    particular intended use?
    R = Sh
    x Ph

    View Slide

  25. NETSPECTIVE
    www.netspective.com 25
    Risk is related to severity and harm
    R = Sh
    x Ph
    R = risk
    Sh
    = severity of harm
    Ph
    = probability of harm
    • Harm is damage done to a person
    • Severity is the degree of harm done
    • Probability is the frequency and duration of exposure

    View Slide

  26. NETSPECTIVE
    www.netspective.com 26
    Examples of Severity & Probability
    Severity
    • multiple fatalities
    • fatalities
    • severe injury (non-reversible, requires
    hospitalization)
    • moderate injury (reversible, requires
    hospitalization)
    • minor (reversible, requires first aid)
    • very minor (no first aid)
    Probability
    • Constant exposure
    • Hourly
    • Daily
    • Weekly
    • Monthly
    • Yearly
    • Never

    View Slide

  27. NETSPECTIVE
    www.netspective.com 27
    Formal risk assessment methods
    What-if analysis
    Preliminary
    hazard analysis
    (PHA)
    Failure modes
    and effects
    analysis (FMEA)
    Fault tree
    analysis (FTA)
    Hazard and
    operability
    studies

    View Slide

  28. NETSPECTIVE
    www.netspective.com 28
    OSS Risk analysis steps - FMEA
    • Define the function of the OSS product being analyzed.
    • Identify potential failures of the OSS.
    • Determine the causes of each failure types.
    • Determine the effects of potential failures.
    • Assign a risk index to each of the failure types.
    • Determine the most appropriate corrective/preventive
    actions.
    • Monitor the implementation of the corrective/preventive to
    ensure that it is having the desired effect.

    View Slide

  29. NETSPECTIVE
    www.netspective.com 29
    Good summary of FMEA
    • http://en.wikipedia.org/wiki/
    Failure_mode_and_effects_analysis

    View Slide

  30. NETSPECTIVE
    www.netspective.com 30
    Sampling of OSS / open standards
    Project / Standard Subject area D G Comments
    Linux or Android Operating system  
    OMG DDS (data
    distribution service)
    Publish and subscribe
    messaging
      Open standard with open
    source implementations
    AppWeb, Apache Web/app server  
    OpenTSDB Time series database  Open source project
    Mirth HL7 messaging engine  Built on Mule ESB
    Alembic Aurion HIE, message exchange  Successor to CONNECT
    HTML5, XMPP
    , JSON Various areas   Don’t reinvent the wheel
    SAML, XACML Security and privacy  
    DynObj, OSGi, JPF Plugin frameworks   Build for extensibility

    View Slide

  31. NETSPECTIVE
    www.netspective.com 31
    OSS applicability to connectivity
    Physical
    • Wired, wireless (WiFi, cellular, etc.)
    Logical
    • Device  Gateway  Data Routers  Systems
    Structural
    • Security, Numbers, Units of Measure, etc.
    Semantic
    • Presence, Vitals, Glucose, Heartbeats, etc.

    View Slide

  32. NETSPECTIVE
    www.netspective.com 32
    OSS applicability to manageability
    Security
    • Is the device
    authorized?
    Inventory
    • Where is the device?
    Presence
    • Is a device connected?
    Teaming
    • Device grouping

    View Slide

  33. NETSPECTIVE
    www.netspective.com 33
    OSS enables extensible devices
    Legacy
    Devices
    Future
    Devices

    View Slide

  34. NETSPECTIVE
    www.netspective.com 34
    Device Components 3rd Party Plugins
    App
    #1
    App
    #2
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Sensors Storage Display Plugins
    Web Server, IM Client
    Connectivity Layer (DDS, HTTP, XMPP)
    • Presence
    • Messaging
    • Registration
    • JDBC, Query
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    Device Gateway (DDS, ESB)
    Healthcare Enterprise
    Enterprise
    Data
    Shahid’s “Ultimate Connectivity Architecture”
    Plugin Container
    Event Architecture
    Inventory
    Workflow
    Notifications
    Patient Context
    Location
    Aware
    1 2
    3
    4
    5
    6
    7
    8
    9
    SSL VPN

    View Slide

  35. NETSPECTIVE
    www.netspective.com 35
    OSS in Ultimate Architecture Core
    Device Components
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Connectivity Layer (DDS, HTTP, XMPP)
    Plugin Container
    Don’t create
    your own OS!
    Security isn’t
    added later
    Think about
    Plugins from day 1
    Connectivity is
    built-in, not added
    Build on
    Open Source
    Create code as
    a last resort

    View Slide

  36. NETSPECTIVE
    www.netspective.com 36
    OSS enables plugin architecture
    Device Components 3rd Party Plugins
    App
    #1
    App
    #2
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Plugins
    Connectivity Layer (DDS, HTTP, XMPP)
    Plugin Container
    Event Architecture
    Location
    Aware

    View Slide

  37. NETSPECTIVE
    www.netspective.com 37
    OSS in connectivity components
    Device Components
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Web Server, IM Client
    Connectivity Layer (DDS, HTTP, XMPP)
    • Presence
    • Messaging
    • Registration
    • JDBC, Query
    Plugin Container
    Surveillance &
    “remote display”
    Remote Access
    Alarms
    Event Viewer
    Design all functions
    as plugins

    View Slide

  38. NETSPECTIVE
    www.netspective.com 38
    OSS in device components
    Device Components 3rd Party Plugins
    Security and Management Layer
    Device OS
    (QNX, Linux, Windows)
    Sensors Storage Display Plugins
    Web Server, IM Client
    Connectivity Layer (HTTP, XMPP)
    Plugin Container
    Event Architecture
    Location
    Aware
    Virtualize!
    “On Device”
    Workflow
    Patient
    Context, too

    View Slide

  39. NETSPECTIVE
    www.netspective.com 39
    OSS enables enterprise integration
    Cloud
    Services
    Management
    Dashboards
    Data Transformation (ESB, HL7)
    BaaS Gateway
    (DDS, XMPP
    , ESB)
    Enterprise Data
    RCM, Financials,
    EHRs
    Device Inventory
    Cross Device
    App Workflows
    Alarm
    Notifications
    Patient Context
    Monitoring
    Device
    Teaming
    Device
    Management
    Report
    Generation
    HIT
    Integration
    Remote
    Surveillance
    Device
    Data
    SSL VPN
    Patient
    Self-Management
    Platforms
    Device Utilization
    Device reimbursement
    Device profitability

    View Slide

  40. Thank You
    Visit
    http://www.netspective.com
    http://www.healthcareguy.com
    E-mail [email protected]
    Follow @ShahidNShah
    Call 202-713-5409

    View Slide