Medical Device Software under IEC George Romanski

Similar documents
Dependable Technologies For Critical Systems. Software Verification. 22 nd May Technologies Ltd 2011 Critical Software

Using codebeamer to Achieve

Towards Systematic Software Reuse in Certifiable Safety-Critical Systems

Developing Medical Device Software to be compliant with IEC Amendment 1:2015

DO-178B 김영승 이선아

Avoiding Top Mistakes in Safety Critical Software Development

The Verification Company. Software Development and Verification compliance to DO-178C/ED-12C

ISO The International Energy Management Standard. esta.org.uk

ehealth Suisse Checklists Addendum to the guideline for app developers, manufacturers and distributors

Verification & Validation of an Autonomous Quadcopter System

Medical Device Software Standards

A Cost-effective Methodology for Achieving ISO26262 Software Compliance. Mark Pitchford

Chapter 26. Quality Management

Safety in the Matrix. Siemens AG All rights reserved.

Compliance driven Integrated circuit development based on ISO26262

Safe and Secure by Design: Systems Engineering Best Practices for Connected Vehicles

version NDIA CMMI Conf 3.5 SE Tutorial RE - 1

Evaluation of open source operating systems for safety-critical applications Master s thesis in Embedded Electronic System Design

JDI Quality Assurance Guideline

Software in Medical Devices

ISO Compliance Using Approved Software Components for Road Vehicles

Software Safety and Certification

Intland s Medical IEC & ISO Template

Functional Testing. CSCE Lecture 4-01/21/2016

Applying ISO14971 / IEC62304 / IEC A Practical Guide On How To Implement Risk Management

ISO : Rustam Rakhimov (DMS Lab)

Further excellence. Freedom of association. How can you enhance social responsibility within your supply chain? Social responsibility Audit solutions

9. Verification, Validation, Testing

ISCC PLUS SAI Gold. SAI Gold ISCC PLUS V 1.0

CMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.

Medical Device Software Development:


Cintipation Corp. CORINTHIAN PROJECT Policy for Requirements Management

Supplier Quality Survey. 1. Type of Business: g) Commodities supplied? Supplier Changes/comments: 2. Headcount breakdown by group: Purchasing

Deterministic Modeling and Qualifiable Ada Code Generation for Safety-Critical Projects

Integrating Functional Safety with ARM. November, 2015 Lifeng Geng, Embedded Marketing Manager

Topics summarised in this presentation are: method for defining quality level you want meaning of external controls quality assurance activities

Medical Device Directive

A Model-Based Reference Workflow for the Development of Safety-Critical Software

Overview of the 2nd Edition of ISO 26262: Functional Safety Road Vehicles

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

Functional Safety: ISO26262

Traceability in Model-Driven Engineering of Safety-Critical Systems

QuEST Forum. TL 9000 Quality Management System. Requirements Handbook

TURBO MACH A DIVISION OF VT SAA

Our Ref. April 28, 2005 Page 1/9. 1. Introduction References Certification... 4

Model-Based Design for ISO Applications. April 2010

CIS 890: High-Assurance Systems

Organization-technical methods for development of on-board equipment based on IMA Koverninskiy Igor V., Kan Anna V. FGUP GosNIIAS

Lecture 9 Dependability; safety-critical systems

Functional Safety with ISO Principles and Practice Dr. Christof Ebert, Dr. Arnulf Braatz Vector Consulting Services

Software Testing Conference (STC) Leveraging Requirement Based Test Practices For Non-Safety Critical Software Systems

2010 Green Hills Software, Inc Slide 1

REQUIREMENTS FOR SAFETY RELATED SOFTWARE IN DEFENCE EQUIPMENT PART 1: REQUIREMENTS

ISO 45001:2018 Migration Self-Assessment Guide. How ready are you for ISO 45001?

Challenge H: For an even safer and more secure railway

Smart Strategic Approach for Functional Safety Implementation. Chandrashekara N Santosh Kumar Molleti

Requirements Traceability. Clarity Add-On TRC Module. Author Paul J Schofield

QUALITY MANUAL. Origination Date: XXXX. Latest Revision Date. Revision Orig

Mentor Safe IC ISO & IEC Functional Safety

c) Have personnel been appointed to supervise the production operations across all shifts in order to ensure the product quality?

SOFTWARE FAILURE MODES EFFECTS ANALYSIS OVERVIEW

Bugs are costly... Kinds of Quality Assurance

Safety cannot rely on testing

Agile/Lean & Safety: Perfect Match or Impossible Combination?

INTRODUCTION. It is the process used to identify the correctness, completeness and quality of developed computer software.

AS9102 Frequently Asked Questions

ISTQB Certified Tester. Foundation Level. Sample Exam 1

SESA Transportation Working Group

CORPORATE MANUAL OF INTEGRATED MANAGEMENT SYSTEM

Quality management systems

Validation, Verification and MER Case Study

This document describes the overall software development process of microcontroller software during all phases of the Company Name product life cycle.

codebeamer ALM supports Aviation Development and Regulatory Compliance (DO-178B/C, DO-254, and more)

IEC Functional Safety Assessment

Development of Safety Related Systems

KINGS COLLEGE OF ENGINEERING DEPARTMENT OF INFORMATION TECHNOLOGY QUESTION BANK

HP Standard Supplier Requirements for Safe and Legal Products

Performing Audits. Def An assessment of the methods and procedures used. Philip Randall

Summary of ISO 9001:2015 New and Changed Requirements

Second Generation Model-based Testing

IEC Functional Safety Assessment

SAMPLE PAGES FOR AS9100D POCKET GUIDE

ISO 9001:2015 Expectations

Functional Safety Implications for Development Infrastructures

Software Engineering. Lecture # 22

I. Development, Submittal, and Acceptance of a Quality Management System

Monroe Engineering is committed to customer satisfaction; we strive for Continuous Improvement in our products and our people.

ISO 9001: Understanding the changes

SOFTWARE APPS AS MEDICAL DEVICES. The Regulatory Landscape 2015 WHITE PAPER WHITE PAPER PRODUCED BY MAETRICS

Supplier Quality System Survey

Toolbox for Architecture Framework Discussions at The Open Group. SKF Group, February 2018

25 D.L. Martin Drive Mercersburg, PA (717)

Short company introduction. Outline. SW FMEA: introduction and motivation Proposed methodology Feedback from application Conclusion and next steps

It s time to be more Optimistic about Negative Testing 12 th Annual International Software Testing Conference Saroj Patnaik 20-October-2012

Certifying Automotive Electronic Solutions

Requirements Are Evolving In The Elevator Industry. November 28, 2012

Research on software systems dependability at the OECD Halden Reactor Project

ISO/IEC Service Management. Your implementation guide

Software Project & Risk Management Courses Offered by The Westfall Team

Transcription:

Medical Device Software under IEC 62304 George Romanski

IEC 62304 Medical Device Software Software Lifecycle Processes Quality Management System* RISK MANAGEMENT Software Safety Classification Development Process Maintenance Process Configuration Management* Problem Reporting and Management* * These processes are Universal between the standards

Software Safety Assessment For Avionics ARP-4761 (Safety Assessment) For Medical ISO 14971 (Safety/Risk) Normative reference For Automotive Part of ISO 26262 For Industrial Part of IEC 61508 For Trains Part of EN 50128 Level chosen for System then applied to Software --- How do you assess for RTOS? Different terms: Design Assurance Level, Software Integrity Level, Class Same Principle: Consequence/Exposure, Severity -> Level for software

What level is Device Software? Software Faults do not follow Gauss Normal Distribution (Bell Curve) Given 10,000 lines of code You test and find 10 software faults What is the probability of finding another fault with another test? We Don t know distribution of faults Software must be assumed to be level C until shown by Risk Assessment that a lower level is applicable!

Software Risks Does it do what it should? Does it do More than it should? It does something wrong Is an action late Is an action too early Are a sequence of actions in the wrong order? How can we be sure? enough ALARP As Low as Reasonably Practicable (RISK)

Software of Unknown Provenance (SOUP) Tasks Tasks Tasks Medical Device Application Semaphores Semaphores Message Message Queues Queues ISRs others Wrapper With thin interface Behavior managed by RTOS Kalman Filter Software (SOUP) RTOS Software (SOUP)

Software of Unknown Provenance (SOUP) Tasks Tasks Tasks Medical Device Application Semaphores Semaphores Message Message Queues Queues ISRs others Wrapper With thin interface Different SOUPs Behavior managed by RTOS Kalman Filter Software (SOUP) RTOS Software (SOUP)

Failure conditions potentially induced by RTOS Data is incorrectly modified. Incorrect results are provided to the application. Expected results are not provided or are provided past their deadlines. User code is not executed as expected (not run, incorrectly run, and incorrectly sequenced). Fault conditions are not detected. Fault conditions are handled incorrectly. False failure conditions are reported. Incorrect or untimely response provided by the RTOS to external or user generated events.

Failure conditions potentially induced by RTOS Data is incorrectly modified. Incorrect results are provided to the application. Expected results are not provided or are provided past their deadlines. User code is not executed as expected (not run, incorrectly run, and incorrectly sequenced). Fault conditions are not detected. Fault conditions are handled incorrectly. False failure conditions are reported. Reduce risk by Using Certified RTOS Incorrect or untimely response provided by the RTOS to external or user generated events.

Managing Risk - ISO 14971 Risk Management Plan Risk Management Processes Identify Risks Evaluate Control Verify Risk Management File

Medical Device Based on Risk Assessment Develop Hardware Develop Software Risks Functional Requirements Integrate System System Risk Analysis

System Hazard Software Class System Hazard No Injury A Non-Serious injury B Death or Serious injury C If failure in Software leads to System Hazard Software categorizes as Class A Class B Class C ISO 14971 IEC 62304

Risk Analysis Failure Mode Analysis Identify Potential Risks Determine Risk Exposure Continuous while operational Frequent Occasional Can Software contribute to Hazards Can Hazards be mitigated Finding potential hazards in Software can be TOUGH!

Requirements Hierarchies DO-178B ARP 4754A System Requirements Intended Software Behavior High-Level Requirements DO-178C Requirements based on Software Architecture Intended System Behavior Low-Level Requirements

Requirement/Design organization ISO 14971 Risk Management Intended System/ Software Behavior Requirements IEC 62304 Software based on Requirements Intended System Behavior Low-Level Design

Parameter Data Items Parameter Data Items can be developed and verified separately if certain conditions are met The high-level requirements describe how the software uses the parameter data items The low-level requirements define the structure, attributes and allowable values of the parameter data items Verification should show that every data element has the correct value or correct value is in equivalence class and boundaries are verified e.g. Configuration Vectors

Our Experience Develop verification evidence using a DO-178C software Lifecycle All of the other Lifecycle processes will fall into place. Some additional documents required Safety Plan Safety Manual Staff Competency Assessment Actual assessment required not just Resume

More Experience Interpretations and negotiations are prevalent in Automotive, Medical and Rail industries. TUV were strict on first Verocel certification Plans, procedures and standards approved Subsequent certifications were straightforward Manufacturing reject tracking needed to be addressed (for software)?

Finding and eliminating unintended behavior Requirements describe intended behavior Software developed against requirements (TRACED) Tests written against requirements (ONLY) and (TRACED) Software coverage by tests measured Any software not covered demonstrates unintended behavior This is a risk that must be eliminated.

Code Coverage Analysis Requirements used to specify intended behavior Write tests using Requirements ONLY Normal Range Robustness Equivalence Class Boundary Value Run tests and measure how much code was executed Assess is non-executed code should not be there Coverage Analysis not required explicitly by IEC 62304, but Hard to mitigate Unintended Functionality risk without

Coding Standards Standards Required used to show goodness of various properties Code Layout Code consistency Readability Avoidance of risky constructs Etc.

Code Review Verifies Conformance to Standards Verifies conformance to review criteria Verifies code against intended behavior Low-level Design Low-level requirements

Code Analysis Tools (The silver bullet?) Perform consistency checks Perform checks against defined coding rules (e.g. MISRA C) to find errors like: Use of variable before initialization Indexing out of bounds (simple cases) Potential deadlock Unreachable code (sometimes) Arithmetic overflow (sometimes) Good quality step, reduction of potential faults, BUT!

Code Analysis Tools for Certification Checks are incomplete Hard to assess what checks must be completed manually No analysis against intended behavior Low-level design Low-level requirements Only partial credit may be taken!

Configuration Management Processes Identification Versions Baseline Change Control Documented process Change Control Board Configuration Accounting History tracking Access Controls

Segregation of Software Components RTOS APP_One Class C Components can be segregated and treated as Class C on same computer. Required Fault Containment Memory Partitioning Time Partitioning APP_Two Class A App-Two cannot adversely affect Class C software

Audit Risk Scenario 1 Prepare Verification evidence on paper Instruct Engineers to give YES/NO answers All information available, but difficult to locate. Auditor cannot make good assessment Applicant passes with substandard/incomplete audit. Not the Verocel Way!

The Verocel Approach Plans, QA records, CM-data, and Certification data: Hyperlinked data easy to find and trace All data open and put on DVD-ROM Auditors can trace their own copies All data extracted from Traceability database, and CM repository

Auditors approach Developers/Certifiers Develop Plans and Standards Develop Certification evidence using P&S QA Checks that P&S are followed Auditors Review Plans and Standards Sample Cert evidence Check QA Audits If a controlled process was used consistently And Sample is good Then we can trust the rest of the certification evidence and the software

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback