Skip to main content

EN

 {fastsocialshare}

Finally! State-of-the-art Medical Device IT Security Requirements! And they are free! And you can download them!

For those of us who (in vain) have poured over IT Security standards and guidelines of variable quality in order to distillate useful requirements: look no further! A state-of-the-art, useable Medical Device IT Security guideline is finally here!

The Johner Institute has in collaboration with TÜV SÜD, TÜV Nord and Dr. Heidenreich (Siemens) compiled an excellent set of Medical Device Cyber Security Process and Product requirements and made it available to the industry for free.

Roughly 150 IT Security requirements are available in the Guideline covering both process requirements as well as product requirements, including the level of expertise needed to implement them, are available in the following structure:

Process requirements

Requirements for the development process

  • Intended purpose and stakeholder requirements
  • System and software requirements
  • System and software architecture
  • Implementation and development of the software
  • Evaluation of software units
  • System and software tests
  • Product release

Requirements for the post-development phase

  • Production, distribution, installation
  • Market surveillance
  • Incident response plan

Product requirements

  • Preliminary remarks and general requirements
  • System requirements
  • System and software architecture
  • Support materials

This IT Security Guideline is directed to Medical Device Manufacturers as well as Auditors, Reviewers, and Hospital Management.

Dr. Johner and his collaborators have in this guideline managed to deliver concrete, best-practice guidelines, something that most other standards and regulations certainly tend to lacks.

Patches

The entire guideline is available in the GitHub-Repository „IT Security Guideline“ (https://github.com/johner-institut/it-security-guideline/) and is a recommended read for everyone concerned with Medical Device cybersecurity. You can also download Excel files with the requirements from the Johner Institute website.

We have made the Product IT Security Requirements available as a downloadable extension for Aligned Elements. It is recommended to use them in conjunction with the material in the mentioned GitHub-repository, which contains valuable additional information and footnotes that explain the rationale and context for some of the requirements.

 

 {fastsocialshare}

In the beginning, there was the User Need.

According to FDA, the User Needs are the starting point for building a safe and efficient medical device. However, User Needs can be elusive to an engineering team used to rigid techniques and accustomed to having "full information" when approaching a problem.

bikeIt is rather rare that the developer has the real and deep experience a User has and it can therefore be precarious to leave the User Need elicitation process in the hands of an engineering team. Here are some tips for eliciting better User Needs.

Consider the Intended Use

It has been said 100 times before, but I say it again: start out by considering the Intended Use and Indication for Use.

These two items will tell you:

  • who is the device for (or rather, who do you say the device is for)
  • why (or for what) is the user using this device (or rather, for what you say the device is to be used for)

The whole idea here is to get as close as possible to the user and the situation in which the user applies the device. What medical condition is the device intended to address? Where and under which circumstances is the device being used? In a hospital or an ambulance? During the night? In the rain? By a child? By a blind person?

Answering these questions will put you in the shoes of the user and will let you describe the user's needs in his or her own words. Imagining being the user in the situation where the need for using the device arises will also give you an idea of the constraints facing the user at the time of application.

Thus, considering the "who" and the "why" is generally a more fruitful starting point than elaborating on the "how" (which is what engineers tend to do).

Who is the user?

In a majority of cases, a medical device is handled by more than one type of User during the product's life cycle. This becomes clear when considering non-core usage tasks such as:

  • transportation
  • installation
  • calibration
  • maintenance
  • service
  • decommissioning

How did the device arrive at the usage location? How and by whom was it deployed? Was it carried in a pocket? Was it transported by air? 

Apparently, it is important to consider all people involved with the handling of the device since these actions may have safety implications. Again, do not second guess the needs of these users but involve them in the process.

User Needs can be vague

Using fuzzy language (such as adverbs) when documenting requirements is a known bad-practice. However, User Needs may be written in a less prescriptive way if it captures important aspects of the User and the Usage. We know that, in the end, the Medical Device will end up being very concrete and void of any fuzziness.

The challenge thus lies in translating the potentially fuzzy language used in User Needs into concrete specifications in the Design Input Requirements and concrete Validation Tests. Make sure that the User Needs are well understood by the team deriving the Design Input Requirements and Validation Tests from the User Needs.

Not all input is User Needs

Costs, brand colors, production constraints are examples of important design input that are not necessarily User Needs. I usually recommend to my clients that they add an additional Design Control type for Stakeholder Needs in order to pick up this input which definitely influences the design, although it is not always required to be verified or validated.

When setting up the validation activities, you must be explicit about what you intend to validate and explicitly define the criteria applied to make this selection. By separating the input in the two mentioned Design Control Types makes it easy to explain which Design Controls are intended for validation (User Needs) and which are not (Stakeholder Needs).

Write User Needs with Validation in mind

The way User Needs are written will heavily influence the Validation activities. Since Validation is a resource-intensive (and therefore expensive) activity, it makes sense to keep a close eye on the proposed validation work that will be derived by a User Need when writing it.

If some of the validation activities are already known at an early stage, the team can use this knowledge to cleverly formulate the User Needs in a way to maximize the coverage of the known validation activities. By this, I do not mean that important User Needs should be left out but rather than formulating and structuring the combined User Needs can have a positive or negative impact on the validation effort.

By following these simple guidelines, you should be able to get more bang for the buck next time you elicitate User Needs.

Aligned Elements, the medical device ALM, manages end-to-end traceability of all Design Control items, including User Needs, Design Input Requirements, Validation and Verification Testing. If you are interested in an online demonstration of Aligned Elements, let us know on This email address is being protected from spambots. You need JavaScript enabled to view it.

{fastsocialshare}

Risk Assessments play a central role in Medical Device development. All medical device manufacturers apply risk management (they should because they have to!). All of them claim to be compliant with ISO 14971. And all of them do it differently.

I have worked with a large number of clients and I have seen more Risk Assessment variants than I can count. Some are good, some have, let's say, "potential".  

zeppelinwtext

From this experience, I can deduce a few best practices that will reduce the risk assessment effort considerably.

Here are my top five tips:

Don't brainstorm to identify risks

You are required to identify and assess ALL potential risks. How do you find them ALL? That can be a daunting question for someone new to the medical device industry.

However, the solution is to be structured i.e. to use a structured approach to systematically identify risks. There exist several known methods to do this, including:

  • Task Analysis (analysing the use process)
  • System Analysis (analysing the system through decomposition)
  • Using the ISO 14971 annex questions
  • Using existing risk reports of similar devices

Regardless of the approach selected, brainstorming should not be one of them. There are a number of well-known reasons for this, the most important one being that you will miss important risks.

Next time around, try a structured technique. You will identify more risks. I promise.

Use both top-down and bottom-up Risk Assessments

Some companies rely on EITHER bottom-up OR top-down risk assessment techniques and miss out on the fact that both approaches deliver vital and often DIFFERENT risks.

Top-down risk assessment techniques (such as PHA or Task Analysis) can be done early in the development process without much knowledge about the actual design of the device. It is a great tool for early identifying use errors and probably misuses.

Once the device design is known, the selected design itself must be analysed for risks (such as materials used, geometry, movements, and energy emittance, etc.) through a bottom-up risk assessment. FMEA's are very popular and well designed for this purpose. Both these techniques complement each other and should be conducted by any serious medical device manufacturer.

Don't keep Design Controls and Risk Management in separate systems

Design drives risk. And Risk drives design. This will become apparent when you need to follow up on the implementation and verification of mitigations as well as the further analysis if mitigations introduce new risks. The glue between the design and the risks is traceability. The effort of managing this traceability in a paper-based documentation system will be VERY high (those of you who have done it will nod now!).

So is applying software tools the solution? Not necessarily, since proper traceability monitoring can not be done until the requirement management tool is integrated with the risk management tool (or vice versa). Only by automatically managing the traceability between the Risk Assessment Items and the Design Items, preferably in a single tool, can true trace monitoring be obtained.

Use reasonable probability and severity scales

I am glad to see a clear trend of tightening down the probability and severity scales during the risk evaluations. From previously having used up to 10 steps, the current trend tends towards five to six steps or less. People simply have a very hard time judging whether a probability should be six or seven on a 1-10 scale and spend too much time pondering such questions. The range of options is simply too large to be effective!

For the probability axis, I would like to endorse Dr. Johner's approach of having each step representing 2 orders of magnitude. He explains this very well by saying, that apart from such an approach lets the probability axis span over more than 8 order of magnitudes, "...the factor 100 indicates the precision which we can appreciate... If you ask a group of people, how long it takes (on average) for a hard disk to be defective, the estimates vary between 2 years and 10 years. But everyone realizes that this average is greater than one month and less than 10 years. And between these two values is about a factor of 100."

Make use of existing mitigations

In many cases, the risk assessment is carried out when the design is already known. In such cases: when coming up with mitigations for your identified risks, use the already existing mitigations in your current design!

I bet your current design already contains a whole bunch of design decisions that are risk mitigations without you really considering them as such. The absolute majority of design teams I have encountered are very, very good at designing innovative and safe devices. However, many of the design decisions taken are based on previous experience, industry state-of-the-art, or simply old habits having been refined over time. Since these engineers are often better designers than document writers, they simply do not see their design (often already in place) through the lens of risk management.

Bottom line: your current design already contains of an uncovered treasure of existing mitigations. Try to use your existing design as mitigations when performing your next risk assessment.

Aligned Elements, our medical device ALM, assists you in performing structured risk assessments. Its highly customizable risk assessment configuration can be set up for a large array of risk analysis variants. Should you be interested in a demonstration, contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.

{fastsocialshare}

Risk Management is a crucial part of Medical Device Development and if you are about to develop a Medical Device, you and your team are likely to find yourselves spending many hours compiling Risk Assessments.

There exist several techniques for performing a proper Risk Assessment but they all follow the same basic steps:

  • Define your risk policy (risk acceptance criteria)
  • Identify the Hazards through a structured analysis
  • Evaluate the Risks by estimating severities and probability
  • Mitigate the Risks that are not acceptable
  • Implement and verify the mitigations for effectiveness

To get you started, we have made two free Risk Assessment Excel templates available for download.

Download Free Risk Assessment Templates

The first demonstrates a Failuremode and Effect Analysis (FMEA) approach, a widespread technique used in many areas and industries. We often see it in bottom-up types of Risk Assessment.

The second one uses a Preliminary Hazard Analysis (PHA) approach which is an excellent top-down approach earlier in the design cycle where many of the design details are not yet known.

Both these techniques are available in Aligned Elements and we have compared and contrasted them in earlier posts.

{fastsocialshare}

Requirements Management is strange. It is a well-researched area which each year yields an impressive number of articles, conferences, and known best-practices. Still, this body of knowledge remains remarkably underused by the people who would gain from it most. In many of the organisations I encounter, well-established requirements elicitation techniques are simply not undertaken.

Perhaps this has to do with the deceivingly simple task at hand. "I just need to write down what the device should be able to do. How hard can it be?". Hard enough it seems, if one considers the many reports stating how mismanaged requirements lead to enormous costs down the line.

This is exactly what Prof. Dr. Samuel Fricker and his team have established in their paper "Requirements Engineering: Best Practices" (2015).

He concludes that although each and every one of the 419 participating organisations "...elicited, planned, analysed, specified, checked, and managed requirements...", very few of them apply formal requirement elicitation techniques.

For those who did "...only three techniques correlated with requirements engineering success: scenarios of system use, business cases, and stakeholder workshops."

The common idea with these techniques is to:

  1. bring structure into the elicitation process
  2. involve many people in the discussion

Both parts are essential to success. Doing 1) without 2) misses out on critical knowledge in the organisation. Doing 2) without 1) is just wasteful. Personally, I have particularly good results from applying a variant of Use Scenarios called "Task Analysis / Task Risk Management" described by Andy Brisk. In short, this is a basic Task Analysis method, where processes are analysed step by step for requirements and risks.

Opposing the natural inclination of engineers to decompose a system into parts for analysis, this method focus on how you use the device, i.e. the system is decomposed into the scenarios where the user interacts with the system.

In other words, we let use drive design.

Mr. Brisk lists a number of process examples that coincides well with those applied to a generic medical device, such as:

  • Unpacking
  • Setup / Installation
  • Calibration
  • Startup
  • Daily Operation
  • Shutdown
  • Maintenance
  • Service
  • Alarms and Alerts
  • Decommission

If the found processes are too large to analyse, Mr. Brisk advises decomposing them further into manageable sizes.

Once the processes are identified, Mr. Brisk prioritizes the processes according to risk, in terms of:

  • Are there significant damaging consequences if the task is performed incorrectly? (High Severity of potential Harms)
  • Is there a reasonable likelihood that tasks will be performed incorrectly? (High Probability of Use Errors)

The idea of this risk-based prioritization is to focus on high-risk processes and analyse them early and thoroughly.

The processes are now analysed step-by-step, preferably by a group of people. They imagine and discuss the steps an imaginary user goes through to perform a task. How is the system accessed? How does the user communicate his intentions to the system and vice versa? What potential errors might the users make?

Task Analysis

Coloured post-it notes can be used to describe the steps on a wall. A tip is to use different colours for process steps and identified potential use errors. This approach manages to create both a common vocabulary of describing the system and its use, as well as creating a common understanding of how the device is meant to be used. It also tends to highlight areas where people had a different understanding of how the system should be used (by simply measuring the loudness of the discussion).

The Task Analysis described above is an easy and straight-forward way of eliciting requirements AND uncover high-level risks in a usage context. What makes it particularly suitable for Medical Device manufacturers is that it combines risk- and requirement elicitation in a single, common activity. Much too often, these two tasks are performed by separate groups in separate contexts.

A further bonus is that it intrinsically produces both Use Scenarios and Use Errors, which are substantial and essential parts of the Usability Management File.

Some important lessons learned using this method include:

  • Try to use a similar step granularity in all processes
  • Before starting, try to agree on what shall be considered "known" about the system
  • Define a clear Goal as well as Start and Endpoint for each process in order to declare the scope
  • Be generous with risks, rather too many than too few
  • Do not forget to write down the elicitated Scenarios and Risks before you leave the room

Aligned Elements supports the documentation of Use Scenarios and their associated Use Errors as described above in our IEC 62366 Configuration. The Use Errors are applied in the overall High-Level Risk Assessment to drive further design decisions.

{fastsocialshare}

That medical device development entails a lot of documentation should not be a surprise to anyone. Hundreds of documents are created, reviewed, released, then modified, reviewed, and released again. The majority of these documents need to be signed, often by two persons or more. Collecting signatures, although it seems like a trivial task, becomes a significant nuisance when the number of documents and releases increases.

One of our customers insisted on having 3 people sign each test case before release. Their 18 000 test cases yielded a combined signature collection effort of 5 man-years (estimated 30 mins to collect a single signature, their estimation).

It is rare to find medical device manufacturers that enjoy writing medical device development documents, but it is even rarer to find those who gladly spend their days collecting signatures for the said documents.

The obvious question is hence: how can we spend less time on document signatures?

For many medical device manufacturers, the equally obvious answer seems to be electronic (or digital) signatures.

So why is it so hard to get a signature?

There are several potential reasons for this. Maybe the Signer is a very busy person and simply has no time for this task. Maybe the Signer is located somewhere else through work, traveling, vacation, or other reasons. Or perhaps the previous Signer did not pass on the document to the next Signer in line. Or maybe a formal signature sequence (order) is forced by the document process in question, where a Signer that actually is available, is prevented to carry out the task since some Signer further up the signing sequence has not fulfilled hers. Or it might be that the document in question cannot be signed before some other related document has been released (i.e. signed).

Thus, there can be formal reasons but also trivial reasons why a signature does not get timely collected.

The most trivial is of course that it is just hard to physically get the document in front of the Signer (or the other way around) for some reason or another. Once you get that far, the literary "stroke of the pen" is usually a quick affair. This is the perceived major efficiency benefit of Electronic Signatures. You do not have to physically get the document in front of the Signer. The document does not need to get passed around. The Signer can pull it up (from an E-Signing System) whenever he wants, from wherever he is. This allows a quasi-parallel execution of signatures. Two people on different sides of the planet can sign the same document at the same time (almost)! Costs associated with printing, sending, scanning, and storing the paper copy are eliminated. E-Signatures also entail increased measures of security, enhanced authenticity, resisting tampering, and also provide accurate signature audit trails.

Before explaining how to introduce an E-Signing System, let me say a few words about Digital and Electronic Signatures.

Digital and Electronic Signatures

Even though the terms are often used interchangeably, there are some notable differences between the two concepts.

According to FDA, Electronic Signatures are "Compilation of data (user name/password, dongles, biometric)", which is unique for a person. This can be used to sign documents and is as legally binding as a “wet signature”. The signature and the association with the signed entity (document) are stored in a database of the Signature System. Furthermore, not all E-Signing Systems leave a visual mark on the signed document that indicates that it has actually been signed.

Digital Signatures, on the other hand, require a Digital Certificate that ensures the identity of the signer. A part of that Digital Certificate gets embedded in the signed document during the signing process. As a result, the validity of the signature can be checked independently of the E-Signing System.

So, someone needs to guarantee the identity of the signer.

For Electronic Signatures, the organisation (the manufacturer) does this by using the validated E-Signing System.

For Digital Signatures, it is the issuer of the Digital Certificate that ensures the identity of the signer. Digitally signed documents often also contain a visible signature.

Obviously, there seem to be several advantages to using Digital Signatures. The validity of the signed document can be inspected independently of the E-Signing System, which is an advantage if the E-Signing System goes down, is corrupted or the system vendor goes bankrupt.

Any drawbacks?

Yes, a few. Obtaining a Digital Certificate from a third-party vendor is expensive and requires an administrative effort. There is the obvious question of where and how to store these certificates as well as associate them with the user. They also have the nuisance to expire after a while and therefore need to get regularly renewed. People also have a tendency to marry and change their names etc. which also leads to renewals. Furthermore, it is not guaranteed that the validity shows up correctly in third-party viewers (like Acrobat PDF Reader), for technical reasons having to do with root certificates.

An organisation can circumvent all this by issuing its own Digital Certificates. This is somewhat of an IT "adventure" but it can be done. Costs can then be lowered somewhat but there is still a significant administrative effort. Moreover, internally generated Digital Certificates can of course not be validated by third-party viewers (like Acrobat PDF Reader).

So, there are pros and cons with both options.

However, they have several similarities, and most important of all, both methods are recognized by the FDA.

Let's do E-SIgning!

Let's say we want to engage in eSigning (Electronic or Digital). What kind of effort can we expect to get this up and running?

Here is a shortlist of some of the steps:

  • Assess the E-Signing System for Part 11 / Annex 11 compliance
  • Qualify the E-Signing System Vendor as Supplier according to your QMS
  • Assign responsible roles and people for the E-Signing System
  • Install and configure the E-Signing System
  • Make or buy the Digital Certificates (if used)
  • Adapt your QMS to recognize E-Signatures and describe how they are intended to work
  • Prepare all the Document Templates to be used for eSigning (the system needs to know where in the document the signature shall be placed. Page nr, location on the page, margins, and spaces, etc).
  • Validate the E-Signing System
  • Create E-Signature User Guidelines and train all users in how to use it
  • Notify the FDA (which is compulsory)

There is thus a non-neglectable initial effort to set up the E-Signing System, and also an effort to keep it maintained, both from a process as well as from an IT perspective.

There are also several other things to consider before you decide to go down the Electronic Signature path:

Document Life Cycle

All documents have a life cycle and the signing is only a very small part of this process. You need to consider how the document gets into the E-Signing System, how it interfaces with other systems such as Document Management Systems, workflow engines, or e-Forms of which the document may be a part.

You also need to pay attention to how you plan to archive the electronic documents. This might seem like a trivial question but it is more depth here than you think.

External Users

If external users (as in external to your organisation) are going to use the system, you need to prepare a process where they get access to the E-Signing System, including setting up a corresponding user in the system with the appropriate Digital Certificate if applicable. These external users also need to get trained in how to use the system.

Hybrid Signature Situations

Are you going to end up with documents that are partly signed electronically and partly with traditional "wet signatures"? If so, you need a described process for this as well.

Ownership

Last but not least you need to establish who has the ownership of the E-Signing System. Is it the IT Department that usually acquires and maintains IT systems? Or is it the R&D department that probably is the most frequent user of the system? Or is it the HR department that is concerned with the identity of the people working in the organisation? This needs to be clarified before you start.

Predicted Outcome

As mentioned, an E-Signing System will decrease the effort of placing the document in front of the Signer. It will reduce costs associated with transporting the paper copy of the document. It will also potentially increase the security and authenticity of the documents.

But there are things an E-Signing System cannot do. Regardless of how deep you entrench E-Signatures as a paradigm in your organisation, you will almost inevitably have a residual number of documents that are signed with ink. Thus, no matter how much you push E-Signatures you will end up with a hybrid system, composed of documents signed electronically and documents signed with ink. Be prepared for this.

Then, a Signature System is per se an IT system with all the work it entails. It needs to be validated and maintained, people will repeatedly forget their credentials if they do not use the system frequently and there will be ubiquitous bugs and errors. This all means increased costs that need to be compared and contrasted with the costs by using a manual system.

Finally, an E-Signature System does not make bad processes good just by digitizing them. Overloaded employees will still remain overloaded regardless.

For which situations does E-Signatures make sense?

E-Signatures make sense when signing is a routine operation i.e. when a user makes several signings per week. E-signing for the occasional (or maybe even singular) CEO signature on a Product Requirements Document does not warrant the effort.  

Document types that are well suited for E-Signatures are those that exist in many instances and that have a comparably small amount of actual content (as in "quick to read"). Examples of such document types are time reports, expense reports, purchasing approvals, and test case documents.

Last but not least, maintenance is of course made easier if all Signers are part of the organisation (as opposed to involving multiple external users).

Efficient with and without E-signatures

If you find it cumbersome to collect signatures today, there are several ways you can scrutinize your organisation for efficiency improvements.

Analyse current signing process

Are all these signatures really necessary? Ask yourself why they were added ("It is required by our process" is not a valid answer) and most importantly, what does the particular signature mean? In what way does a particular signature make the document "better"?

Don’t get dependent on busy Signers

The overloaded Project Manager or CTO that never has time for signing is a common bottleneck in many organisations. Appoint deputies to all signing functions (the deputies shall also have deputies). Try to avoid sequentially forced signature sequences. They cost more than they bring. Finally, simply planning the signing occasion like a regular meeting (set up a meeting in the calendar) might yield some good results.

I hope this post has highlighted some of the pros and cons of employing Electronic Signatures. If there is anything I want you to take home it is probably this:

  • Signature efficiency stands and falls with the process, not the system
  • Analyse and improve the process first!!
  • E-signatures can be very beneficial in specific situations
  • E-signatures gains (i.e. speed gains) must be weighed against costs

Aligned Elements supports electronic as well as digital signatures of documents with automatic relaying to external Document Management Systems.

If you would like to get a demonstration of e-Signatures in Aligned Elements, just let us know.

{fastsocialshare}

Test managers often have to deal with superhuman juggling of timelines, resource allocations and continuously changing specifications while facing increasing pressure from management as the shipping-date draws closer. Furthermore, the test manager is responsible for making sure that the traceability is completed, that test data integrity remains intact, and that change management procedures are followed correctly, even under situations of extreme stress.

Efficient change management, planning, tracking, and reuse of test executions are therefore much appreciated tools in the V&V Managers toolbox. The Aligned Elements Test Runs aims to address these challenges. The Test Runs manages the planning, allocation, execution, and tracking of test activities. Let's dive into the details.

Planning the Test Run

The Test Run Planning section is the place to define the Test Run context, much as you would write a Verification Plan.

The Test Run Planning information includes:

  • What to test i.e. information the Object Under Test and the addressed configurations
  • When to perform the tests i.e. the planned start and end date for the Test Run
  • Who participates in the test effort i.e. the team of testers and their allocated work
  • How to test the device i.e. which test strategy to use by selecting among the existing test types
  • Why the test is being done i.e. the purpose or reason for performing this particular set of tests on this Object Under Test

Quality Assurance in Aligned Elements

Allocate existing Test Cases from your Test Case library to the Test Run by using simple drag-and-drop. You can use any number of tests of any available types from any number of projects. If needed, add Test Run specific information to the Test Cases and designate the Test Cases to the members of the Test Team.

Once the planning phase is completed, the Test Execution can begin.

The Test Execution phase 

Test Case data is kept separate from the Test Execution result data, permitting a high degree of test case reuse and a clear separation between Test Instructions and Test Results.
Consistency checks are optionally carried out on the Test Case before execution in order to ensure that tests cannot be performed until all foreseen process steps are completed.
During execution, the test input data is optionally kept read-only, preventing testers to modify a reviewed and released Test Case during execution.

All Test Team Members can access the Test Run and simultaneously Execute Tests as well as continuously monitor how the Execution phase progresses.

Test Run Progress Bar

Real-Time Test Execution data is presented through:

  • Individual Test Execution results including any found defects as well as colour-coded feedback on states
  • Colour coded test progression statistics, with the possibility to drill down on e.g. individual Testers or Test Types
  • Burndown charts, showing how planned Test progress over time corresponds to the actual progression

Defect Tracking

During Test Execution, Defects and Anomalies can be created and traced on-the-fly without having to leave the Test Execution context. The Defects can be tracked in either Aligned Elements internal Issue Management system or already existing integrated Issue Trackers such as Jira, TFS, GitHub, Trac or Countersoft Gemini or any mix of these systems. Created Defects and their corresponding status are displayed in the Test Run.

TestCaseList

Test Case Change Management

When developing medical devices, it is of paramount importance to keep your Design Control under tight change control.
The Test Run assist the testers and test managers in several ways to accomplish this goal, including optional actions:

  • Preventing inconsistent tests from being executed
  • Preventing input data to get modified during test execution
  • Allowing Test Managers to lock/freeze Design Input and Tests during execution
  • Alert testers when attempting to modify tests for which valid results already exist
  • Signalize whether a Test Case has been reviewed and released or not
  • Allowing the user to explicitly invalidate existing test results when a test is updated with major changes

Testing Variants of the Object Under Test

If several variants of the Object Under Test exist, it is sometimes desirable to create variant-specific test results for common test cases and subsequently create separate traceabilities for the variants. The Test Run uses a concept called "Configurations" to achieve this behaviour. A Test Case is executed for one or more Configurations to make sure that variant-specific test results are kept separate.

The exact data composition of a Configuration is customizable to fit the needs of each customer.

Complete the Test Run

Once all Test Cases has been completed, the Test Run and all its content is set to read-only. Optionally, a Snapshot of all Test Run relevant items is created as part of the completion procedure. A Test Run report containing all the necessary Test Run information can be inserted into any Word Document using Aligned Elements Word Integration with a single drag and drop action.

The Test Run is a Test Managers best friend, providing the flexibility needed during test planning and full transparency during test execution, making it possible to quickly react as real-time test events unfold.

Note: Burn Down Charts is under development at the point of writing and planned to be released in the next service pack.

{fastsocialshare}

The medical device as a stand-alone product is a waning concept.

The desire to make use of the information collected in a medical device in other health systems, coupled with recent advancements in networks and interconnectivity has resulted in more devices being connected to the Internet. As a consequence, they have become more vulnerable to hackers.

A 2015 KPMG survey found that 81 percent of health care organizations had their data compromised within the previous two years.

FBI reports (FBI Cyber Division PIN (Private Industry Notification) #140408-010) that due to the transition of paper to electronic health records, lax cybersecurity standards and higher financial payout for medical records in the black market, the "cyber actors will likely increase cyber intrusions against health care systems". 

During 2016, several ransom-attacks were launched against health institutions in the United States with wide-ranging consequences. 

FDA has shown heightened interest in cybersecurity issues and released three guidelines during the last two years. Medical Device manufacturers are likely to focus more on cybersecurity risk management activities in the near future and assign additional resources accordingly.

One integral part of the cybersecurity risk management process constitutes the risk assessment.

Performing risk assessments is a core activity in the medical device industry and many of the available techniques are well-known and well-used by industry professionals. Having long and thorough experience of risk management might lead the same professionals to believe that cybersecurity issues can be harnessed by the tools already at hand.

There are, however, key aspects where cybersecurity risks differ from traditional medical device risks.

Risk identification and the building blocks of a cybersecurity risk

The fundamental challenge during risk identification is to ensure that all relevant risks have been identified.

Verifying that this criterion has been fulfilled is often difficult and therefore structural help and practical advice is very welcome.

Due to the wide variety of possible medical device types, ISO 14971, the standard for medical device risk management, understandably has a hard time defining concrete identification techniques that are relevant enough to provide value for every kind of medical device. 

IT risk management, operating in a narrower technical scope, provides a host of techniques, tailored to this domain. Many of these techniques are based around the asset-vulnerability-threat model. 

These components can be described as followed.  

  • Assets are the entities a cyber-intruder attempts to access and control. An asset has a value to the patient and therefore also to an intruder. In a safety-related context, we can exemplify assets as device configurations, health data, medical device functions, or battery power.
  • Vulnerabilities represent weaknesses in the medical device that, when exploited, can give an intruder access to an asset. Software bugs, application design flaws, and insufficient input validation are examples of software vulnerabilities. But vulnerabilities can also be found in hardware, business processes, organizational structures, and interpersonal communication.
  • A threat is defined as an event with the potential to an adverse impact on an asset. The threat is executed by a threat agent (i.e. an intruder) exploiting a vulnerability in order to access an asset.

A combination of these building blocks describes a cybersecurity risk. 

As a starting point, the manufacturer should be able to enumerate assets for the given device. By analyzing how these assets can be targeted, e.g. by performing a “Threat modeling analysis”, using a data flow analysis of the application, identifying "data-at-rest" (data storage) and "data-in-motion" (data transfer) will further help the manufacturer to identify vulnerabilities and threats, particular to the medical device.

Bottom-line: Identifying assets, threats, and vulnerabilities will support the manufacturer when enumerating potential cybersecurity risks. The identified items should be listed in the risk management documentation.

What is the probability of a cyber attack?

The Medical Device industry takes its risk assessment cues from ISO 14971, which defines risk as the combination of the probability of the occurrence of harm and the severity of that harm. 

The computer security industry, on the other hand, has used several kinds of assessment methods to estimate the "riskiness" of cybersecurity risks. None of them rely solely on the probability and severity of an event. Instead, these techniques estimate and/or quantify aspects of the assets, threats, and vulnerabilities that in combination say something about the computer security risk. 

So how can the medical device risk assessment methods concerned with the safety of patients be connected with techniques whose primary concern is information security?

In the AAMI paper "TIR 57 - Principles for medical device security - Risk Management", the authors address this discrepancy and attempt to transpose the cybersecurity line of thinking into the domain of ISO 14971. 

It is easy to see how the "potential adverse effect" can be regarded as analogue to the “Harm” in ISO 14971 and be quantified with a corresponding severity.

The probability factor in ISO 14971 does not have a direct equivalent in the cybersecurity risk domain. A composite factor called "exploitability" combining characteristics of the vulnerability, the threat agent, and the medical device itself is mentioned in the FDA guidelines. This factor intends to indicate the amount of work involved in order to invoke a successful attack.

The AAMI TIR57 group suggests a two-pronged approach to establish something similar, combining two likelihood factors.

The first factor, the “Threat Likelihood”, defines the likelihood of the threat agent having the motivation, skills, and resources to exploit a given vulnerability.

The second factor estimates the likelihood of harm being the effect of an exploited vulnerability.  These two factors in combination make out the probability of the cybersecurity risk.

Note that this approach is similar to the P1 (probability of the hazardous situation occurring) / P2 (probability of the hazardous situation causing harm) frequently used in the medical device community.

Information security theory recognizes that aspects and characteristics of the threat agent, the vulnerability, and the device itself drive these factors.

Bottom-line: caution shall be taken when estimating probability/likelihood/exploitability for cybersecurity risks. The manufacturer's Risk Management SOP shall address this concern accordingly and be adapted if necessary.

The drivers of cybersecurity risks

During classic medical device risk assessments, the identified causes leading to hazardous situations and potentially to harms are in most cases accidental. Although malicious use should be considered, this area often receives considerably less attention than harms caused by accidental events. 

For cybersecurity risks, the opposite is true. Here, a significant factor in the causal chain constitutes the intentional behavior of a threat agent causing harm by exploiting a vulnerability.

Whereas the software flaw might have been created accidentally, exploiting it is an intentional act.

A malicious agent may come in many shapes and forms, such as a criminal organization, a competitor, or disgruntled employees. Each of these has its own motivation, skill set, and reach when it comes to detecting and exploiting vulnerabilities, which affects the likelihood of a vulnerability being exploited as we have seen above.

Therefore, not only needs the focus to be shifted from accidentally caused risks to intentionally caused risks. The manufacturer benefits from analyzing the characteristics of the malicious intruder in order to do a proper risk assessment.

Bottom line: Manufacturers will need to shift perspective from accidentally caused risks to explicit maliciously caused risks during the identification and classification of the risk assessment.

The poisoned SOUP

Just like in the rest of the software industry, medical device companies use third-party libraries to increase productivity when developing medical devices.

These third-party libraries (or frameworks or applications), sometimes referred to as "SOUP" components (Software of Unknown Provenance) are of course also subject to cybersecurity scrutiny.

It is debatable if third-party components, and in particular open source components, are inherently more unsafe than proprietary produced applications (there are several arguments against such claims).

Regardless of this claim, it can be safely assumed that many of these libraries were not developed with a medical device cybersecurity context in mind. The security firm “Contrast Security” reports that 26% of downloaded SOUP:s contained known vulnerabilities and were still applied.

It shall be noted that SOUP:s themselves often rely on and integrate third-party software, which increases the scope of the problem accordingly.

The medical device manufacturer is responsible for any vulnerabilities caused by SOUP:s in his device and must therefore analyses his SOUP:s accordingly.

This shall include a systematic inventory of SOUP:s, actively collecting information on current vulnerabilities in SOUP:s as well as applying timely updates of the SOUP:s when available.

Bottom-line: The manufacturer must have a clear plan for how to handle potential cybersecurity risks in SOUP:s. 

Skills required to assess cybersecurity risks

Cybersecurity vulnerabilities are largely made up of software flaws. Understanding the technical details of how such vulnerabilities come into being, the technical influence they have, and how they can be mitigated requires precise software knowledge. Including software developers in the assessment group is, therefore, a highly recommended measure.

It is a misconception that all software professionals are software security professionals. The majority of today’s information security problems can be traced to flaws in code. Many software developers lack basic training and understanding of cybersecurity. 

As already mentioned, the security scope for an interconnected medical device is much larger than the device itself. The network infrastructure in which connected medical devices operate is often outside the control of the medical device manufacturer but still has a great impact on the overall risk exposure and needs to be included in the risk assessment.

It is likewise a misconception that cybersecurity is a strictly technical field. Cybersecurity vulnerabilities are not exclusively found in hardware and software but also in business processes, organizational structures, human behavior, and the environment in which the device operates. A thorough understanding of where, how, and by whom the medical device will be operated is therefore important input for the risk assessment.

Last but not least, the clinical experts are required for estimating the potential harm of compromised availability, confidentiality, and integrity of the associated data.

All these competencies are required in order to perform a comprehensive cybersecurity risk assessment and it is clear that it stretches beyond being an internal R&D activity.

The risk assessment benefits from involving stakeholders beyond the immediate software development team. If specific cybersecurity expertise is lacking in the organization, the manufacturer should consider employing or train their own experts or outsource these functions to a competent partner.

Bottom-line: the knowledge required to perform a medical device cybersecurity risk assessment is both broader and deeper than what is often immediately available in many medical device companies. 

Conclusion

The medical device industry has extensive experience with risk management and risk assessment techniques.

The cybersecurity dimension of medical device development is an additional aspect where risk assessments can enhance safety.

However, traditional medical device risk assessment techniques need adaptation in order to successfully be applied to cybersecurity risks.

Cybersecurity risks consist of other aspects and other drivers than "classic" medical device risks and are best mitigated by recognizing these differences.

{fastsocialshare}

One audit to rule them all. 

Sounds good, doesn't it?

ring

If you have spent a lot of time in audits lately, then you are certainly not alone. More and more company resources are devoted to a continuous string of auditing activities. The Medical Device Single Audit Program is an initiative by the IMDRF intended to curb the audit avalanche.  

But does the promise hold? Or is it too good to be true?

Read this inside story from a recent MDSAP audit experience.

{fastsocialshare}

You spend too much time and money on documentation.

Agreed?

Good.

So what is your plan?

The regulations of the medical device industry require us to produce a pretty hefty chunk of documentation to show that the device is safe and efficient. If the documentation is not compliant, then it does not matter how safe, secure and performant the device itself it. Therefore, the documentation aspect that receives the largest share of attention is compliance. The most common path to a compliant stack of documents is to throw heaps of man-hours at the problem. Quantity seems to be the weapon of choice in many firms.

As a consequence, a large number of people get involved in the documentation creation and maintenance, especially people residing in the R&D part of the organization as most companies do not have Document Officers or documentation experts in their organization.

However, engineers and scientists are not necessarily the best writers (And they probably have no ambition to be.) Staff who are necessary for other tasks struggle to find the time to write these documents, and so the documents they do produce may be of lower quality than their usual work.

The effect on these people is often a suffocating feeling of inefficiency and frustration of spending an un-proportionally large part of the working day on menial documentation tasks, deciphering SOP:S and unpractical standards to compile documents that no-one reads (apart from the auditor).

lifebelt

Our studies show that up to 30% of the total project effort is spent on documentation required by regulations. There is also an overwhelming consensus in the industry that this is far too much. Money and time are inefficiently spent and morale buckles as the workload increases.

The good news is that these problems can be fixed. The bad news is that you are going to lose time, money, and people until you fix them.

Excelling at documentation efficiency is not intuitive to many R&D-centric organizations. However, considering the situation described above, good documentation practices is an investment. In the medical device industry, it is even a competitive dimension.

Your company can be efficient!!

Some good starting points are:

  • Make documentation efficiency a prioritized objective using measurable goals
  • Assign a responsible Manager
  • Set up a tight collaboration between the people writing templates and SOPs (Quality people) and the people using the templates and SOPs (R&D people)
  • Analyze your documentation processes
  • Apply the right software tools to automate documentation tasks

You can start right away!

Download our Medical Device Documentation Self-assessment paper and take a few minutes to complete it. We assure you that you will have started the road to more efficient documentation within the next 15 minutes!