Open Source Software (OSS) and Technologies
in Safety-critical Medical Device Platforms
Using Open Source to Design Connec...
NETSPECTIVE

Who is Shahid?
• Chairman, OSEHRA.org Board of Advisors
• 20+ years of software engineering and
multi-discipl...
NETSPECTIVE

Open source software (OSS) is in your future
• You’re moving from standalone boxes to fully integrated
system...
NETSPECTIVE

The new realities of patient populations
Prevention
•

Education

•

Health Promotions

•

Healthy Lifestyle ...
NETSPECTIVE

Wireless BAN Ecosystem is complex without OSS

Source: Qualcomm
www.netspective.com

5
NETSPECTIVE

Data is getting more sophisticated, analysis even more so
It’s hard today but will be even harder tomorrow

E...
NETSPECTIVE

Implications of healthcare trends
PPACA

ACO

Software

Regulated IT and Systems
Integration Services

MU

He...
NETSPECTIVE

What users want vs. what they’re offered
Data visualization requires integration and aggregation

What’s bein...
NETSPECTIVE

Evolving Healthcare IT Enterprise Architecture
You need to fit into a complex environment

Device
Teaming

Cl...
• Should medical device vendors be using
open source to implement their safetycritical requirements?
• How about contribut...
Yes!
• If you’re not using open source projects in your
own devices then you’re doing far more
engineering work than is ne...
NETSPECTIVE

Connectivity is a must, OSS is answer
Most obvious benefit

Least attention

Most promising
capability

This ...
NETSPECTIVE

Appreciate tradeoffs
The more connectionfriendly a device, the
harder it is to validate it

Integrationfriend...
NETSPECTIVE

What are we afraid of when it comes to OSS?
Compliance

Reliability

Will the FDA and other
regulators accept...
Yes, of course.
Proof: we did it at American Red Cross in 1996 for a Class 3
device built on a modern enterprise IT ecosys...
NETSPECTIVE

Code you write is not necessarily safer
There is significantly more and better
testing of large open source p...
NETSPECTIVE

It’s not as hard as we think…
• Modern real-time operating systems (open source and
commercial) are reliable ...
How to start using OSS immediately
NETSPECTIVE

Remove OSS illiteracy from decision making

Understand open
source licensing,
remove the fear of
IP loss

www...
NETSPECTIVE

Choose the right OSS projects
Requirements
traceability
possible?

Code reviews
conducted by OSS
code authors...
NETSPECTIVE

Engender trust in the code’s provenance

Connect to
the revision
control
system of the
open source
project

w...
NETSPECTIVE

Integrate OSS into your QSR process
Employ continuous
integration (CI) for
your own and OSS
project component...
NETSPECTIVE

But it’s not easy either…we need
Risk
Assessments

Hazard Analysis

Design for
Testability

Design for
Simula...
NETSPECTIVE

OSS hazard and risk assessment
• What is the intended use for the device or system?
• How will the OSS produc...
NETSPECTIVE

Risk is related to severity and harm
R = risk
Sh = severity of harm
Ph = probability of harm

R = S h x Ph

•...
NETSPECTIVE

Examples of Severity & Probability
Severity

Probability

• multiple fatalities
• fatalities
• severe injury ...
NETSPECTIVE

Formal risk assessment methods
What-if analysis

Preliminary
hazard analysis
(PHA)

Fault tree
analysis (FTA)...
NETSPECTIVE

OSS Risk analysis steps - FMEA
Define the function of the OSS product being analyzed.
Identify potential fail...
NETSPECTIVE

Good summary of FMEA
• http://en.wikipedia.org/wiki/
Failure_mode_and_effects_analysis

www.netspective.com

...
NETSPECTIVE

Sampling of OSS / open standards
Project / Standard

Subject area

D

G

Linux or Android

Operating system

...
NETSPECTIVE

OSS applicability to connectivity
Physical
• Wired, wireless (WiFi, cellular, etc.)

Logical
• Device  Gatew...
NETSPECTIVE

OSS applicability to manageability
Security
• Is the device
authorized?

Teaming

Inventory

• Device groupin...
NETSPECTIVE

OSS enables extensible devices
Legacy
Devices

www.netspective.com

Future
Devices

33
NETSPECTIVE

Shahid’s “Ultimate Connectivity Architecture”
5

Device Components

Sensors

Storage

Display

Web Server, IM...
NETSPECTIVE

OSS in Ultimate Architecture Core
Connectivity is
built-in, not added

Device Components

Think about
Plugins...
NETSPECTIVE

OSS enables plugin architecture
Device Components

3rd Party Plugins
App
#1

App
#2

Plugins

Event Architect...
NETSPECTIVE

OSS in connectivity components
Surveillance &
“remote display”

Remote Access

Alarms

Device Components

Des...
NETSPECTIVE

OSS in device components
Virtualize!

Device Components

Sensors

“On Device”
Workflow
Patient
Context, too

...
NETSPECTIVE

OSS enables enterprise integration
Device
Teaming

Cloud
Services

Patient
Self-Management
Platforms

SSL VPN...
Visit
http://www.netspective.com
http://www.healthcareguy.com
E-mail shahid.shah@netspective.com
Follow @ShahidNShah
Call ...
Upcoming SlideShare
Loading in...5
×

How to Use Open Source Technologies in Safety-critical Medical Device Platforms

200

Published on

There is a great deal of fear and angst in the medical device vendor community about the use open source in safety-critical products. This presentation provides advice on why the fear is misplaced and how to proceed with using open source in safety-critical medical devices.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
200
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

How to Use Open Source Technologies in Safety-critical Medical Device Platforms

  1. 1. Open Source Software (OSS) and Technologies in Safety-critical Medical Device Platforms Using Open Source to Design Connected Medical Devices Shahid N. Shah, CEO
  2. 2. NETSPECTIVE Who is Shahid? • Chairman, OSEHRA.org Board of Advisors • 20+ years of software engineering and multi-discipline complex IT implementations (Gov., defense, health, finance, insurance) • 12+ years of healthcare IT and medical devices experience (blog at http://healthcareguy.com) • 15+ years of technology management experience (government, non-profit, commercial) www.netspective.com Author of Chapter 13, “You’re the CIO of your Own Office” 2
  3. 3. NETSPECTIVE Open source software (OSS) is in your future • You’re moving from standalone boxes to fully integrated systems • mHealth demands more interoperability • Your customers demand flexible workflows with enhanced functionality • Your customer demand data integration with their systems • Security of medical devices is under great scrutiny and excuses aren’t going to be accepted www.netspective.com 3
  4. 4. NETSPECTIVE The new realities of patient populations Prevention • Education • Health Promotions • Healthy Lifestyle Choices • Health Risk Assessment Management • • Obesity Management Wellness Management • • • • • • • Assessment – HRA Stratification Dietary Physical Activity Physician Coordination Social Network Behavior Modification • • • Diabetes COPD CHF • • • • • Stratification & Enrollment Disease Management Care Coordination MD Pay-for-Performance Patient Coaching • • • • Physicians Office Hospital Other sites Pharmacology • Catastrophic Case Management Utilization Management Care Coordination Co-morbidities • • • 26 % of Population 35 % of Population 35 % of Population 4% of Population 4 % of Medical Costs 22 % of Medical Costs 37 % of Medical Costs 36 % of Medical Costs Source: Amir Jafri, PrescribeWell www.netspective.com 4
  5. 5. NETSPECTIVE Wireless BAN Ecosystem is complex without OSS Source: Qualcomm www.netspective.com 5
  6. 6. NETSPECTIVE Data is getting more sophisticated, analysis even more so It’s hard today but will be even harder tomorrow Economics Administrative www.netspective.com Phenotypics Behavioral Biochemical Genomics Proteomics IOT sensors 6
  7. 7. NETSPECTIVE Implications of healthcare trends PPACA ACO Software Regulated IT and Systems Integration Services MU Health Home www.netspective.com PCMH mHealth DATA Evidence Based Medicine Comparative Effectiveness 7
  8. 8. NETSPECTIVE What users want vs. what they’re offered Data visualization requires integration and aggregation What’s being offered to users www.netspective.com What users really want 8
  9. 9. NETSPECTIVE Evolving Healthcare IT Enterprise Architecture You need to fit into a complex environment Device Teaming Cloud Services Patient Self-Management Platforms SSL VPN Patient Context Monitoring BaaS Gateway (DDS, XMPP ESB) , Device Data Data Transformation (ESB, HL7) Remote Surveillance Management Dashboards HIT Integration Report Generation Device reimbursement www.netspective.com Enterprise Data RCM, Financials, EHRs Device Management Cross Device App Workflows Device Utilization Device profitability Alarm Notifications Device Inventory 9
  10. 10. • Should medical device vendors be using open source to implement their safetycritical requirements? • How about contributing to open source projects? • How about creating their own open source projects? www.netspective.com 10
  11. 11. Yes! • If you’re not using open source projects in your own devices then you’re doing far more engineering work than is necessary. • If you’re not contributing to open source then you’re not making code you rely on better. • If you’re not creating open source then you’re missing a valuable marketing opportunity. www.netspective.com 11
  12. 12. NETSPECTIVE Connectivity is a must, OSS is answer Most obvious benefit Least attention Most promising capability This talk focuses on connected devices www.netspective.com 12
  13. 13. NETSPECTIVE Appreciate tradeoffs The more connectionfriendly a device, the harder it is to validate it Integrationfriendliness Ease of validation Lesson: Demand Testability www.netspective.com 13
  14. 14. NETSPECTIVE What are we afraid of when it comes to OSS? Compliance Reliability Will the FDA and other regulators accept open source code in safetycritical systems? Is open source code safe enough for medical devices? www.netspective.com 14
  15. 15. Yes, of course. Proof: we did it at American Red Cross in 1996 for a Class 3 device built on a modern enterprise IT ecosystem Lesson: Risk managers and quality leadership often use regulators as an excuse to prevent OSS use because of OSS illiteracy, not legitimate strategy or actual evidence of harm. Reality: Regulators don’t care about your use of open source, they care about safe systems that meet intended use. www.netspective.com 15
  16. 16. NETSPECTIVE Code you write is not necessarily safer There is significantly more and better testing of large open source projects than you could ever do In an integrated ecosystem, you have to learn how to rely on others and do so safely and effectively Modern IT systems’ custom components www.netspective.com 16
  17. 17. NETSPECTIVE It’s not as hard as we think… • Modern real-time operating systems (open source and commercial) are reliable for safety-critical medical-grade requirements. • Open standards such as TCP/IP DDS, HTTP and XMPP can , , pull vendors out of the 1980’s and into the 1990’s.  • Open source and open standards that promote enterprise IT connectivity can pull vendors into the 2010’s and beyond. www.netspective.com 17
  18. 18. How to start using OSS immediately
  19. 19. NETSPECTIVE Remove OSS illiteracy from decision making Understand open source licensing, remove the fear of IP loss www.netspective.com Understand where code is coming from and what test harnesses included Get in touch with the open source developers to find out the current utilization 19
  20. 20. NETSPECTIVE Choose the right OSS projects Requirements traceability possible? Code reviews conducted by OSS code authors? Unit testing conducted by authors? Continuous integration system employed? Integration testing conducted? Performance testing conducted? Safety testing conducted? Security testing conducted? www.netspective.com 20
  21. 21. NETSPECTIVE Engender trust in the code’s provenance Connect to the revision control system of the open source project www.netspective.com Create your own binaries Create a process to securely sign the binaries Create your own deployment packages 21
  22. 22. NETSPECTIVE Integrate OSS into your QSR process Employ continuous integration (CI) for your own and OSS project components Create a process to test the binaries using code coverage tools Keep an eye on changes coming in from the source and retest regularly www.netspective.com Conduct continuous hazard and risk analysis of outside code Review your process with the compliance officers and get their regular buy in 22
  23. 23. NETSPECTIVE But it’s not easy either…we need Risk Assessments Hazard Analysis Design for Testability Design for Simulations Documentation Traceability Mathematical Proofs Determinism Instrumentation Theoretical foundations www.netspective.com 23
  24. 24. NETSPECTIVE OSS hazard and risk assessment • What is the intended use for the device or system? • How will the OSS product you’re planning to use going to be tied to your intended use? • What is the risk associated with the OSS product for that particular intended use? R = S h x Ph www.netspective.com 24
  25. 25. NETSPECTIVE Risk is related to severity and harm R = risk Sh = severity of harm Ph = probability of harm R = S h x Ph • Harm is damage done to a person • Severity is the degree of harm done • Probability is the frequency and duration of exposure www.netspective.com 25
  26. 26. NETSPECTIVE Examples of Severity & Probability Severity Probability • multiple fatalities • fatalities • severe injury (non-reversible, requires hospitalization) • moderate injury (reversible, requires hospitalization) • minor (reversible, requires first aid) • very minor (no first aid) • • • • • • • www.netspective.com Constant exposure Hourly Daily Weekly Monthly Yearly Never 26
  27. 27. NETSPECTIVE Formal risk assessment methods What-if analysis Preliminary hazard analysis (PHA) Fault tree analysis (FTA) www.netspective.com Failure modes and effects analysis (FMEA) Hazard and operability studies 27
  28. 28. NETSPECTIVE OSS Risk analysis steps - FMEA Define the function of the OSS product being analyzed. Identify potential failures of the OSS. Determine the causes of each failure types. Determine the effects of potential failures. Assign a risk index to each of the failure types. Determine the most appropriate corrective/preventive actions. • Monitor the implementation of the corrective/preventive to ensure that it is having the desired effect. • • • • • • www.netspective.com 28
  29. 29. NETSPECTIVE Good summary of FMEA • http://en.wikipedia.org/wiki/ Failure_mode_and_effects_analysis www.netspective.com 29
  30. 30. NETSPECTIVE Sampling of OSS / open standards Project / Standard Subject area D G Linux or Android Operating system   OMG DDS (data distribution service) Publish and subscribe messaging   AppWeb, Apache Web/app server   OpenTSDB Time series database  Open source project Mirth HL7 messaging engine  Built on Mule ESB Alembic Aurion HIE, message exchange  Successor to CONNECT HTML5, XMPP JSON , Various areas   Don’t reinvent the wheel SAML, XACML Security and privacy   DynObj, OSGi, JPF Plugin frameworks   www.netspective.com Comments Open standard with open source implementations Build for extensibility 30
  31. 31. NETSPECTIVE OSS applicability to connectivity Physical • Wired, wireless (WiFi, cellular, etc.) Logical • Device  Gateway  Data Routers  Systems Structural • Security, Numbers, Units of Measure, etc. Semantic • Presence, Vitals, Glucose, Heartbeats, etc. www.netspective.com 31
  32. 32. NETSPECTIVE OSS applicability to manageability Security • Is the device authorized? Teaming Inventory • Device grouping • Where is the device? Presence • Is a device connected? www.netspective.com 32
  33. 33. NETSPECTIVE OSS enables extensible devices Legacy Devices www.netspective.com Future Devices 33
  34. 34. NETSPECTIVE Shahid’s “Ultimate Connectivity Architecture” 5 Device Components Sensors Storage Display Web Server, IM Client • Presence 6 • Messaging • Registration • JDBC, Query Plugins 3rd Party Plugins App #1 App #2 7 4 Connectivity Layer (DDS, HTTP, XMPP) 3 Plugin Container 2 1 Security and Management Layer Device OS Event Architecture Location Aware (QNX, Linux, Windows) SSL VPN Healthcare Enterprise 8 Patient Context Device Gateway (DDS, ESB) Inventory Notifications Cloud Services Data Transformation (ESB, HL7) Management Dashboards www.netspective.com Workflow 9 Enterprise Data 34
  35. 35. NETSPECTIVE OSS in Ultimate Architecture Core Connectivity is built-in, not added Device Components Think about Plugins from day 1 Build on Open Source Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) Don’t create your own OS! www.netspective.com Security and Management Layer Create code as a last resort Security isn’t added later 35
  36. 36. NETSPECTIVE OSS enables plugin architecture Device Components 3rd Party Plugins App #1 App #2 Plugins Event Architecture Location Aware Plugin Container Device OS (QNX, Linux, Windows) www.netspective.com Connectivity Layer (DDS, HTTP, XMPP) Security and Management Layer 36
  37. 37. NETSPECTIVE OSS in connectivity components Surveillance & “remote display” Remote Access Alarms Device Components Design all functions as plugins Event Viewer Web Server, IM Client • Presence • Messaging • Registration • JDBC, Query Connectivity Layer (DDS, HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) www.netspective.com Security and Management Layer 37
  38. 38. NETSPECTIVE OSS in device components Virtualize! Device Components Sensors “On Device” Workflow Patient Context, too www.netspective.com Storage Web Server, IM Client Display Event Architecture Location Aware 3rd Party Plugins Plugins Connectivity Layer (HTTP, XMPP) Plugin Container Device OS (QNX, Linux, Windows) Security and Management Layer 38
  39. 39. NETSPECTIVE OSS enables enterprise integration Device Teaming Cloud Services Patient Self-Management Platforms SSL VPN Patient Context Monitoring BaaS Gateway (DDS, XMPP ESB) , Device Data Data Transformation (ESB, HL7) Remote Surveillance Management Dashboards HIT Integration Report Generation Device reimbursement www.netspective.com Enterprise Data RCM, Financials, EHRs Device Management Cross Device App Workflows Device Utilization Device profitability Alarm Notifications Device Inventory 39
  40. 40. Visit http://www.netspective.com http://www.healthcareguy.com E-mail shahid.shah@netspective.com Follow @ShahidNShah Call 202-713-5409 Thank You

×