A hazard analysis method for systematic identification of safety requirements for user interface software in medical devices

© Springer International Publishing AG (outside the US) 2017. Formal methods technologies have the potential to verify the usability and safety of user interface (UI) software design in medical devices, enabling significant reductions in use errors and consequential safety incidents with such devices. This however depends on comprehensive and verifiable safety requirements to leverage these techniques for detecting and preventing flaws in UI software that can induce use errors. This paper presents a hazard analysis method that extends Leveson’s System Theoretic Process Analysis (STPA) with a comprehensive set of causal factor categories, so as to provide developers with clear guidelines for systematic identification of use-related hazards associated with medical devices, their causes embedded in UI software design, and safety requirements for mitigating such hazards. The method is evaluated with a case study on the Gantry-2 radiation therapy system, which demonstrates that (1) as compared to standard STPA, our method allowed us to identify more UI software design issues likely to cause use-related hazards; and (2) the identified UI software design issues facilitated the definition of precise, verifiable safety requirements for UI software, which could be readily formalized in verification tools such as Prototype Verification System (PVS).- U.S. Food and Drug Administration(NORTE-01-0145-FEDER-000016)Sandy Weininger (FDA), Scott Thiel (Navigant Consulting, Inc.), Michelle Jump (Stryker), Stefania Gnesi (ISTI/CNR) and the CHI+MED team (www.chi-med.ac.uk) provided useful feedback and inputs. Paolo Masci’s work is supported by the North Portugal Regional Operational Programme (NORTE 2020) under the PORTUGAL 2020 Partnership Agreement, and by the European Regional Development Fund (ERDF) within Project “NORTE-01-0145-FEDER-000016”.info:eu-repo/semantics/publishedVersio

A Systematic Framework for Radio Frequency Identification (RFID) Hazard Mitigation in the Blood Transfusion Supply Chain from Donation to Distribution

The RFID Consortium is developing what will be the first FDA-approved use of radio frequency identification (RFID) technology to identify, track, manage, and monitor blood throughout the entire blood transfusion supply chain. The iTraceTM is an innovative technological system designed to optimize the procedures currently employed when tracing blood from the donor to the recipient. With all novel technologies it is essential to consider not only the advantages, but also the potential harms that may come about from using the system. The deployment of the iTraceTM consists of two phases: 1) Phase One - application of the iTraceTM from the donor to blood center distribution, and 2) Phase Two - application of the iTraceTM from blood center distribution to transfusion. This dissertation seeks to identify the possible hazards that may occur when utilizing the iTraceTM during Phase One, and to assess the mitigation and correction processes to combat these hazards. A thorough examination of verification and validation tests, as well as of the system design, requirements, and standard operating procedures was performed to qualify and quantify each hazard into specific categories of severity and likelihood. A traceability matrix was also established to link each hazard with its associated tests and/or features. Furthermore, a series of analyses were conducted to determine whether the benefits of implementing the iTraceTM outweighed the risks and whether the mitigation and correction strategies of the hazards were effective. Ultimately, this dissertation serves as a usable, generalizable framework for the management of RFID-related hazards in the blood transfusion supply chain from donor to blood center distribution

Implementation of Risk Management in the Medical Device Industry

This study looks at the implementation and effectiveness of risk management (RM) activities in the medical device industry. An online survey was distributed to medical device professionals who were asked to identify RM-related activities performed during the device life cycle. RM activities and techniques included Establishing Risk Acceptance Criteria, Hazard Identification, Human Factors/Usability, Fault Tree Analysis (FTA), Design Failure Mode and Effects Analysis (DFMEA), Process Failure Mode and Effects Analysis (PFMEA), Hazard and Operability Study (HAZOP), Hazard Analysis and Critical Control Point (HACCP), Risk Benefit Analysis, and Risk Assessment of Customer Complaint. Devices were identified by type (therapeutic, surgical/clinical tools, diagnostic, instrument disposable, implantable, etc.), development history (new, second, third or later generation device), and time since market release. Respondents were also asked to indicate the degree of change made to the device as a result of RM activities and to rate the effectiveness of associated RM activities for the device. Survey results indicated that RM\u27s impact and level of effectiveness on a medical device are dependent primarily on the device type and life-cycle stage (i.e., pre-market versus post-market). There is also some impact of development history and the time since the device was released to market

A hybrid Bayesian network for medical device risk assessment and management

ISO 14971 is the primary standard used for medical device risk management. While it specifies the requirements for medical device risk management, it does not specify a particular method for performing risk management. Hence, medical device manufacturers are free to develop or use any appropriate methods for managing the risk of medical devices. The most commonly used methods, such as Fault Tree Analysis (FTA), are unable to provide a reasonable basis for computing risk estimates when there are limited or no historical data available or where there is second-order uncertainty about the data. In this paper, we present a novel method for medical device risk management using hybrid Bayesian networks (BNs) that resolves the limitations of classical methods such as FTA and incorporates relevant factors affecting the risk of medical devices. The proposed BN method is generic but can be instantiated on a system-by-system basis, and we apply it to a Defibrillator device to demonstrate the process involved for medical device risk management during production and post-production. The example is validated against real-world data

An approach to safety analysis of clinical workflows

A clinical workflow considers the information and processes that are involved in providing a clinical service. They are safety critical since even minor faults have the potential to propagate and consequently cause harm to a patient, or even for a patient's life to be lost. Experiencing these kinds of failures has a destructive impact on all the involved parties. Due to the large number of processes and tasks included in the delivery of a clinical service, it can be difficult to determine the individuals or the processes that are responsible for adverse events, since such an analysis is typically complex and slow to do manually. Using automated tools to carry out an analysis can help in determining the root causes of potential adverse events and consequently help in avoiding preventable errors through either the alteration of existing workflows, or the design of a new workflow. This paper describes a technical approach to safety analysis of clinical workflows, utilising a safety analysis tool (Hierarchically-Performed Hazard Origin and Propagation Studies (HiP-HOPS)) that is already in use in the field of mechanical systems. The paper then demonstrates the applicability of the approach to clinical workflows by applying it to analyse the workflow in a radiology department. We conclude that the approach is applicable to this area of healthcare and provides a mechanism both for the systematic identification of adverse events and for the introduction of possible safeguards in clinical workflows

Alternative sweetener from curculigo fruits

This study gives an overview on the advantages of Curculigo Latifolia as an alternative sweetener and a health product. The purpose of this research is to provide another option to the people who suffer from diabetes. In this research, Curculigo Latifolia was chosen, due to its unique properties and widely known species in Malaysia. In order to obtain the sweet protein from the fruit, it must go through a couple of procedures. First we harvested the fruits from the Curculigo trees that grow wildly in the garden. Next, the Curculigo fruits were dried in the oven at 50 0C for 3 days. Finally, the dried fruits were blended in order to get a fine powder. Curculin is a sweet protein with a taste-modifying activity of converting sourness to sweetness. The curculin content from the sample shown are directly proportional to the mass of the Curculigo fine powder. While the FTIR result shows that the sample spectrum at peak 1634 cm–1 contains secondary amines. At peak 3307 cm–1 contains alkynes

Systematic Vulnerability Evaluation of Interoperable Medical Device System using Attack Trees

Security for medical devices has gained some attractions in the recent years following some well- publicized attacks on individual devices, such as pacemakers and insulin pumps. This has resulted in solutions being proposed for securing these devices, usually in stand-alone mode. Medical devices are however becoming increasingly interconnected and interoperable as a way to improve patient safety, decrease false alarms, and reduce clinician cognitive workload. Given the nature of interoperable medical devices (IMDs), attacks on IMDs can have devastating consequences. This work outlines our effort in understanding the threats faced by IMDs, an important first step in eventually designing secure interoperability architectures. A useful way of performing threat analysis of any system is to use attack trees. Attack trees are conceptual, multi-leveled diagrams showing how an asset, or target, might be attacked. They provide a formal, methodical way of describing the threats to a system. Developing attack trees for any system is however non-trivial and requires considerable expertise in identifying the various attack vectors. IMDs are typically deployed in hospitals by clinicians and clinical engineers who may not posses such expertise. We therefore develop a methodology that will enable the automated generation of attack trees for IMDs based on a description of the IMD operational workflow and list of safety hazards that need to be avoided during its operation. Additionally, we use the generated attack trees to quantify the security condition of the IMD instance being analyzed. Both these pieces of information can be provided by the users of IMDs in a care facility. The contributions of this paper are: (1) a methodology for automated generation of attack trees for IMDs using process modeling and hazard analysis, and (2) a demonstration of the viability of the methodology for a specific IMD setup called Patient Controlled Analgesia (PCA- IMD), which is used for delivering pain medication to patients in hospitals

Formal verification of interactive computing systems: Opportunities and challenges

Formal verification has the potential to provide a level of evidence based assurance not possible by more traditional development approaches. For this potential to be fulfilled, its integration into existing practices must be achieved. Starting from this premise, the position paper discusses the opportunities created and the challenges faced by the use of formal verification in the analysis of critical interactive computing systems. Three main challenges are discussed: the accessibility of the modelling stage; support for expressing relevant properties; the need to provide analysis results that are comprehensible to a broad range of expertise including software, safety and human factors.This work is financed by the ERDF - European Regional Development Fundthrough the Operational Programme for Competitiveness and Internationalisation - COMPETE 2020 Programme and by National Funds through the Portuguese funding agency, FCT - Fundação para a Ciência e a Tecnologia, within project POCI-01-0145-FEDER-016826