Medi SPICE

Medi SPICE: An Overview 

Fergal Mc Caffery 

Alec Dorling 

SPICE 2009 

Turku, Finland

Aims of Medi SPICE 

Background 

Outline 

Regulatory software development process 

areas 

Mapping Regulations to process areas 

Medi SPICE Processes 

Sample Process – Risk Management 

Future Work – Call for participation 

THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE

Medi SSPICE C 

• Medi SPICE will define a method and 

approach for the medical device industry so 

that companies adhering to Medi SPICE will 

have a more streamlined pathway towards 

compliance. 


Aims 

To minimise the volume of software documentation 

content within the premarket submission for audit 

and to provide global harmonization (with consistent 

guidance provided for all medical device software 

manufacture) 

manufacture). 

TTo propose a conformity f i assessment scheme h to 

support first, second or third party assessment 

results lt that th t may be b recognised i d bby th the regulatory l t 

bodies. 

Lero ©2009 

THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE 

4

Challenges faced by the Medical 

Device Industry (1/3) 

Software is one of the most complex elements of a medical device 

Developing safety-critical software-based systems in a disciplined and 

cost-effective way still poses major challenges. 

Medical device software is required to comply with the guidelines of 

th the regulatory l t bbodies di of f th the FDA and d the th MMedical di l DDevice i Di Directives ti 

(CE marking). 

Lero ©2009 

IIn order d for f a medical di l ddevice i tto bbe marketed k t d iin a particular ti l country t it 

has to be approved by a competent authority e.g. Medicines and 

Healthcare products p Regulatory g yAgency g y –MHRA (UK) ( ) 

The level of documentation required during the submission is directly 

linked to the level of risk posed by the medical device. 


5

Literature 

Review 

Lero© 2009 

Important Medical Development 

Standards and Guidelines 

ISO 13485 

IEC 60601-1-4 

FDA - 21 CFR Part 820 

FDA/CDRH Guidance 

ISO 14971 

AAMI TIR 32 

SW 68, IEC 62304 

ISPE GAMP Guide 

IEC 61508 

Medical Device Software 




Technical File for CE approval approval. 

Design History file for 510(k) or PMA submissions to the 

FDA FDA. 

FDA software guidelines for development, validation and 

use of off off-the-shelf the shelf software software. 

Software developed for medical devices concerns itself with 

obtaining regulatory processes as opposed to improving 

processes to obtain more efficient software development. 

Lero ©2009 


7



IEC 62304 - developed as the standard for software life cycle 

processes for medical device software (based upon ISO 12207). 

It defines two major life cycle processes: 

a development process 

a maintenance process. process 

For both application software and embedded software 

The standard considers the software as a sub-system of the 

medical device. Three software classes are defined: 

CClass 

A — no injury or damage to health is possible 

Class B –– non-serious injury is possible 

Class C — Death or serious injury is possible. 

Lero ©2009 


8

Medi SPICE 

Introduction to the framework; 

Intended audience and implementation strategy; 

Architecture consisting of: 

A reference e e e ce model, ode , 

An assessment model, 

An assessment method, 

Assessment activities; 

Process assessment and improvement concepts 

Process improvement, 

PProcess capability bilit ddetermination; t i ti 

Compliance with medical device regulations; 

Software Development Roadmap - a suggested step-by-step guide to 

ddeveloping l i software ft iincluding: l di 

Life cycle development models and milestones, 

Roadmap checklists, 

Recommended best practices; 

LERO© 2009 


Founded upon: 

Lero ©2009 

Foundations of 

Medi SPICE 

ISO/IEC 15504-5 processes 

- Perform conformance assessments of the software 

process capability of medical device suppliers in 

accordance with the requirements of ISO/IEC 

15504-2 


10

PRM + PAM 

Provide comprehensive coverage of the FDA and 

European Council guidelines 

- Particular focus on IEC 62304 

As Safety y is a primary p y issue the PRM & PAM will 

incorporate: 

Lero ©2009 

Safety y Integrity g y levels and the safety y lifecycle y from IEC 

61508 

Safety processes that are present in + SAFE 

- Safety Management, Safety Engineering 

– Will be introduced in 15504-10 along with Selection and 

qualification of software tools and libraries 


11

Lero ©2009 

PRM + PAM 

The PRM and PAM will be available (once 

developed) as a Publically Available 

St Standard d d (PAS) which hi h will ill th then bbe subject bj t 

to a PAS submission to the new ISO/IEC 

31001 series of standards. 


12

LERO© 2009 

FDA Software Development 

1. Level of Concern 

2. Software Description 

Areas 

3. Device Hazard Analysis 

4. Software Requirements Specification 

55. Architecture Design Chart 

6. Software Design Specification 

77. Traceability Analysis 

8. Software Development Environment 

99. Verification Verification, Validation and Testing 

10. Revision Level History 

11 11. Unresolved Anomalies 


Lero ©2009 

IEC 62304 Medical Device 

Software Lifecycle processes 

Quality Management System 

Software Safety Classification 

Software Development Process 

Software Maintenance Process 

Risk Management Process 

Software Configuration Management 

Process 

Software Problem Resolution Process 


14

Lero ©2009 

Medi SPICE Process Groups 

Risk and Safety Management 

Requirements 

Development 

Testing and Integration 

Supporting Processes 

Additional Requirements 


15

Risk and Safety Management 

Group Mappings 

FDA Areas Associated IEC 62304 

Associated ISO/IEC 

Processes 

1504-5 Processes 

1. Device Hazard and 

Risk Analysis 

2. Level of Concern 

+ SAFE – Safety 

extension i to CMMI 

CMMI process areas 

• SSafety f t Management 

M t 

• Safety Management 

Lero ©2009 

1. Risk Management 

A1. Risk Management 

2. Software Safety A2. Safety Management 

Classification (Part 10 Safety 

Extensions) 

A3 A3. SSafety f EEngineering i i 

(Part 10 Safety 

Extensions) 


16

Requirements 



Associated ISO/IEC 

Processes 

1504-5 Processes 

3. Software 

Requirements 

Specification 

4. Requirements 

Traceability Analysis 

Lero ©2009 

3. Software 

Requirements 

Analysis 

B1. Requirements 

Elicitation 

A4. Software 

Requirements Analysis 

B2 B2. SSystem 

Requirements Analysis 


17

Development 


FDA Areas Associated IEC 62304 Associated ISO/IEC 

Processes 1504-5 Processes 

55. Architecture Design 

44. Software Development 

A5 A5. Project Management 

Chart 

Planning 

A6. Selection and 

66. Design Specifications 55. Software Architectural 

qualification of software 

Design 

tools and libraries (Part 

7. Software Description 

6. Software Detailed 

10 Safety Extensions) 

8. Software Development Design B3. System Architectural 

Design 

Lero ©2009 

A7. Software Design 

B4. Documentation 


18

Testing and Integration 


FDA Areas Associated IEC 62304 Associated ISO/IEC 

Processes 1504-5 Processes 

99. Validation Validation, Verification 77. Software Unit 

A8 A8. Software 

and Testing 

Implementation and 

Verification 

8. Software Integration 

Construction 

A9 A9. Software Integration 

and Integration Testing A10. Software Testing 

Lero ©2009 

9. Software System 

Testing 

B5. System Integration 

B6. System y Testingg 

A11. Verification 

A12. Validation 


19

Supporting Processes 



Processes 

Associated ISO/IEC 1504-5 Processes 

10.Revision 

Level 

10.Software Release B7. Product Release 

History 11.Software 

Configuration 

B8. Product Acceptance Support 

Management B9. Software Installation 

Lero ©2009 

12.Software 

Maintenance 

13.Software Problem 

Resolution 

A13. Configuration Management 

A14. Problem Resolution 

Management 

A15 A15. Ch Change RRequest t MManagement t 

A16. Software and System 

Maintenance 


20

Additional Requirements 



Processes 

ISO 13485 14.Quality 

Management g 

System 

Lero ©2009 

Associated ISO/IEC 1504-5 Processes 

B10. Quality Assurance 


21

Phase 1 

Proposed Phases of 

Medi SPICE Delivery 

16 processes of which a high proportion of their defined base 

practices p will be required q either in their current state or in a 

revised state to satisfy the regulatory demands of the medical 

device industry. 

Phase 2 

10 processes which contain a much smaller proportion of 

ddefined fi d bbase practices ti th that t will ill bbe required i d either ith iin th their i 

current state or in a revised state to satisfy the regulatory 

demands of the medical device industry 

Phase 3 

Lero ©2009 

Delivery of remaining Medi SPICE processes 


22

Medi Spice Delivery Phase 1 

ISO/IEC 15504-5 Processes to be 

extended 

Resultant Medi SPICE Processes 

A1. Risk Management 

Risk Management 

A2. Safety Management (Part 10) 

Safety Management 

A3. Safety Engineering (Part 10) 

Safety Engineering 

A4. Software Requirements Analysis Software Requirements Analysis 

A5. Project Management 

Project Management 

A6 A6. Selection and qualification of software Selection and qualification of software tools 

tools and libraries (Part 10) 

and libraries 

A.7 Software Design 

Software Design 

A.8 Software Construction 

Software Construction 

A.9 SSoftware f Integration 

SSoftware f Integration 

A.10 Software Testing 

Software Testing 

A.11 Verification 

Verification 

AA.12 12 Validation 

Validation 

A.13 Configuration Management 

Configuration Management 

A.14 Problem Resolution Management Problem Resolution Management 

A.15 Change Request Management 

Change Request Management 

A16S A.16 Software ft and dS System t Maintenance M i t 

SSoftware ft and d SSystem t MMaintenance i t 

23 

Lero ©2009 



ISO/IEC 15504-5 Processes to be Resultant Medi SPICE Processes 

extended 

B1. Requirements q Elicitation 16 Phase 1 processes p 

B2. System Requirements Analysis 

B3. System Architectural Design 

+ 

B4. Documentation 

Requirements Elicitation 

B5. System Integration 

System Requirements Analysis 

B6. Product Release 

System Architectural Design 

B7. Product Acceptance Support Documentation 

B8. System Testing 

System Integration 

B9. System Installation 

Product Release 

B10. Quality Assurance 

Product Acceptance Support 

SSystem TTesting i 

System Installation 

Quality Assurance 

Lero ©2009 


24


ISO/IEC 15504-5 Processes to be Resultant Medi SPICE Processes 

extended 

25 Remaining ISO/IEC 15504-5 15504 5 

Processes 

Lero ©2009 

26 

(16 Phase 1 + 10 Phase 2 processes) 

+ 

25 Remaining Processes 


25

LERO© 2009 

Mappings for each 

MMedi di SPICE process 

ISO/IEC 15504 

Practices required by 

ISO/IEC 15504 

only 

Practices 

required by both 

ISO/IEC 15504 & 

RRegulatory l t 

Compliance 

Medical Device Regulations 

Practices 

required 

for regulatory g y 

Compliance 

only 


Medi SPICE RM Process 

Medi SPICE RM process has the same base 

practice titles as ISO/IEC 15504 but amended 

content 

• BP1: Establish risk management g scope; p ; 

• BP2: Define risk management strategies; 

• BP3: Identify risks; 

• BP4: Analyse risks; 

• BP5 BP5: DDefine fi andd perform f risk i k ttreatment t t actions; ti 

• BP6: Monitor risks; 

• BP7: Take preventative or corrective action. 

LERO© 2009 


Risk Management g Process 

The medical device standards and 

guidelines g have been mapped pp against g 

ISO/IEC 15504-5 to produce the Medi 

SPICE Risk Management process process. 

New sub-practices have been added to 

the ISO/IEC 15504-5 Risk Management g 

process to create the Medi SPICE Risk 

Management process. 

process 

LERO© 2009 


LERO© 2009 

Medi SPICE RM Base Practices 

BP1: Establish Risk Management scope 

Sub-Practice Specified Specified in 

in ISO/IEC the Medical 

15504-5 ? device 

regulations ? 

Determine the scope of f risk 

management to be performed. 

Yes Yes 

Define the scope of the strategy and 

No Yes – ISO 

include those life-cycle phases for 

which the strategy is applicable 

14971 

Section 3.4a 


Practice 

Summary – Medi SPICE 

RM Base Practices 

ISO/IEC 15504- 

5 Sub-Practices 

ISO/IEC 15504-5 Sub- 

Practices required to meet 

regulatory l t medical di l device d i 

requirements 

Additional Sub-Practices 

required to meet regulatory 

medical di l device d i requirements i t 

Establish risk 1 1 1 

management scope 

Define 

management 

strategies 

risk 1 1 11 

Identify risks 2 1 3 

Analyse risks 1 1 0 

Define and 1 1 5 

Perform risk 

treatment actions 

Monitor risks 1 1 2 

Take Preventative 1 1 1 

or 

action 

Corrective 

Total 8 7 23 

Lero ©2009 


30

Summary for Medi SPICE RM 

With respect to the base practices of the RM process: 

•following the ISO/IEC 15504-5 RM process will only partially 

meet the goals of the medical device guidelines 

• only 1 of the 7 ISO/IEC 15504-5 RM base practices fully 

satisfies the requirements of the associated Medi SPICE RM 

practice (Analyse Risks) 

• only 8 of the 31 Medi SPICE RM sub-practices are required 

by the ISO/IEC 15504-5 RM practice 

•With 23 new sub-practices having to be added 

LERO© 2009 


LERO© 2000 

Mappings for the Medi SPICE 

RM process 

ISO/IEC 15504 

1 Sub Sub- Practice 

required by 

ISO/IEC 15504 only 

7 

Sub Sub-Practices Practices 

required 

by both 

Medical Device 

Regulations 

23 

Sub Sub-Practices Practices required 

by the medical device 

regulations 


Project j Organisation g 

Research team 

- Core team - (from DkIT and Lero in Ireland) 

- Extended core team – international 

Collaboration teams (international) 

( ) 

- Medical Device Software processes 

- Global Software development strategies 

- SSoftware ft process assessment t and d improvement 

i t 

Ad Advisory i Board B d 

- Medical Device Software industry (companies and 

Medical Device Associations) 

Lero ©2009 


33

Future 

PProject j t will ill now bbe really ll ki kicking ki off ff 

LERO© 2009 

Want to gain involvement of wider SPICE 

Community in Medi SPICE 


QQuestions? i ?

LERO© 2008 

This research is supported by Science Foundation Ireland through the Stokes 

Lectureship Programme, grant number 07/SK/I1299 and Lero - the Irish 

Software Engineering Research Centre. Centre 

Thank You

Medi SPICE

Create successful ePaper yourself

Delete template?

Save as template?