Medi SPICE
Medi SPICE
Medi SPICE
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Medi</strong> <strong>SPICE</strong>: An Overview<br />
Fergal Mc Caffery<br />
Alec Dorling<br />
<strong>SPICE</strong> 2009<br />
Turku, Finland
Aims of <strong>Medi</strong> <strong>SPICE</strong><br />
Background<br />
Outline<br />
Regulatory software development process<br />
areas<br />
Mapping Regulations to process areas<br />
<strong>Medi</strong> <strong>SPICE</strong> Processes<br />
Sample Process – Risk Management<br />
Future Work – Call for participation<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
<strong>Medi</strong> S<strong>SPICE</strong> C<br />
• <strong>Medi</strong> <strong>SPICE</strong> will define a method and<br />
approach for the medical device industry so<br />
that companies adhering to <strong>Medi</strong> <strong>SPICE</strong> will<br />
have a more streamlined pathway towards<br />
compliance.<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Aims<br />
To minimise the volume of software documentation<br />
content within the premarket submission for audit<br />
and to provide global harmonization (with consistent<br />
guidance provided for all medical device software<br />
manufacture)<br />
manufacture).<br />
TTo propose a conformity f i assessment scheme h to<br />
support first, second or third party assessment<br />
results lt that th t may be b recognised i d bby th the regulatory l t<br />
bodies.<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
4
Challenges faced by the <strong>Medi</strong>cal<br />
Device Industry (1/3)<br />
Software is one of the most complex elements of a medical device<br />
Developing safety-critical software-based systems in a disciplined and<br />
cost-effective way still poses major challenges.<br />
<strong>Medi</strong>cal device software is required to comply with the guidelines of<br />
th the regulatory l t bbodies di of f th the FDA and d the th M<strong>Medi</strong>cal di l DDevice i Di Directives ti<br />
(CE marking).<br />
Lero ©2009<br />
IIn order d for f a medical di l ddevice i tto bbe marketed k t d iin a particular ti l country t it<br />
has to be approved by a competent authority e.g. <strong>Medi</strong>cines and<br />
Healthcare products p Regulatory g yAgency g y –MHRA (UK) ( )<br />
The level of documentation required during the submission is directly<br />
linked to the level of risk posed by the medical device.<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
5
Literature<br />
Review<br />
Lero© 2009<br />
Important <strong>Medi</strong>cal Development<br />
Standards and Guidelines<br />
ISO 13485<br />
IEC 60601-1-4<br />
FDA - 21 CFR Part 820<br />
FDA/CDRH Guidance<br />
ISO 14971<br />
AAMI TIR 32<br />
SW 68, IEC 62304<br />
ISPE GAMP Guide<br />
IEC 61508<br />
<strong>Medi</strong>cal Device Software<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Challenges faced by the <strong>Medi</strong>cal<br />
Device Industry (2/3)<br />
Technical File for CE approval approval.<br />
Design History file for 510(k) or PMA submissions to the<br />
FDA FDA.<br />
FDA software guidelines for development, validation and<br />
use of off off-the-shelf the shelf software software.<br />
Software developed for medical devices concerns itself with<br />
obtaining regulatory processes as opposed to improving<br />
processes to obtain more efficient software development.<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
7
Challenges faced by the <strong>Medi</strong>cal<br />
Device Industry (3/3)<br />
IEC 62304 - developed as the standard for software life cycle<br />
processes for medical device software (based upon ISO 12207).<br />
It defines two major life cycle processes:<br />
a development process<br />
a maintenance process. process<br />
For both application software and embedded software<br />
The standard considers the software as a sub-system of the<br />
medical device. Three software classes are defined:<br />
CClass<br />
A — no injury or damage to health is possible<br />
Class B –– non-serious injury is possible<br />
Class C — Death or serious injury is possible.<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
8
<strong>Medi</strong> <strong>SPICE</strong><br />
Introduction to the framework;<br />
Intended audience and implementation strategy;<br />
Architecture consisting of:<br />
A reference e e e ce model, ode ,<br />
An assessment model,<br />
An assessment method,<br />
Assessment activities;<br />
Process assessment and improvement concepts<br />
Process improvement,<br />
PProcess capability bilit ddetermination; t i ti<br />
Compliance with medical device regulations;<br />
Software Development Roadmap - a suggested step-by-step guide to<br />
ddeveloping l i software ft iincluding: l di<br />
Life cycle development models and milestones,<br />
Roadmap checklists,<br />
Recommended best practices;<br />
LERO© 2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Founded upon:<br />
Lero ©2009<br />
Foundations of<br />
<strong>Medi</strong> <strong>SPICE</strong><br />
ISO/IEC 15504-5 processes<br />
- Perform conformance assessments of the software<br />
process capability of medical device suppliers in<br />
accordance with the requirements of ISO/IEC<br />
15504-2<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
10
PRM + PAM<br />
Provide comprehensive coverage of the FDA and<br />
European Council guidelines<br />
- Particular focus on IEC 62304<br />
As Safety y is a primary p y issue the PRM & PAM will<br />
incorporate:<br />
Lero ©2009<br />
Safety y Integrity g y levels and the safety y lifecycle y from IEC<br />
61508<br />
Safety processes that are present in + SAFE<br />
- Safety Management, Safety Engineering<br />
– Will be introduced in 15504-10 along with Selection and<br />
qualification of software tools and libraries<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
11
Lero ©2009<br />
PRM + PAM<br />
The PRM and PAM will be available (once<br />
developed) as a Publically Available<br />
St Standard d d (PAS) which hi h will ill th then bbe subject bj t<br />
to a PAS submission to the new ISO/IEC<br />
31001 series of standards.<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
12
LERO© 2009<br />
FDA Software Development<br />
1. Level of Concern<br />
2. Software Description<br />
Areas<br />
3. Device Hazard Analysis<br />
4. Software Requirements Specification<br />
55. Architecture Design Chart<br />
6. Software Design Specification<br />
77. Traceability Analysis<br />
8. Software Development Environment<br />
99. Verification Verification, Validation and Testing<br />
10. Revision Level History<br />
11 11. Unresolved Anomalies<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Lero ©2009<br />
IEC 62304 <strong>Medi</strong>cal Device<br />
Software Lifecycle processes<br />
Quality Management System<br />
Software Safety Classification<br />
Software Development Process<br />
Software Maintenance Process<br />
Risk Management Process<br />
Software Configuration Management<br />
Process<br />
Software Problem Resolution Process<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
14
Lero ©2009<br />
<strong>Medi</strong> <strong>SPICE</strong> Process Groups<br />
Risk and Safety Management<br />
Requirements<br />
Development<br />
Testing and Integration<br />
Supporting Processes<br />
Additional Requirements<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
15
Risk and Safety Management<br />
Group Mappings<br />
FDA Areas Associated IEC 62304<br />
Associated ISO/IEC<br />
Processes<br />
1504-5 Processes<br />
1. Device Hazard and<br />
Risk Analysis<br />
2. Level of Concern<br />
+ SAFE – Safety<br />
extension i to CMMI<br />
CMMI process areas<br />
• SSafety f t Management<br />
M t<br />
• Safety Management<br />
Lero ©2009<br />
1. Risk Management<br />
A1. Risk Management<br />
2. Software Safety A2. Safety Management<br />
Classification (Part 10 Safety<br />
Extensions)<br />
A3 A3. SSafety f EEngineering i i<br />
(Part 10 Safety<br />
Extensions)<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
16
Requirements<br />
Group Mappings<br />
FDA Areas Associated IEC 62304<br />
Associated ISO/IEC<br />
Processes<br />
1504-5 Processes<br />
3. Software<br />
Requirements<br />
Specification<br />
4. Requirements<br />
Traceability Analysis<br />
Lero ©2009<br />
3. Software<br />
Requirements<br />
Analysis<br />
B1. Requirements<br />
Elicitation<br />
A4. Software<br />
Requirements Analysis<br />
B2 B2. SSystem<br />
Requirements Analysis<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
17
Development<br />
Group Mappings<br />
FDA Areas Associated IEC 62304 Associated ISO/IEC<br />
Processes 1504-5 Processes<br />
55. Architecture Design<br />
44. Software Development<br />
A5 A5. Project Management<br />
Chart<br />
Planning<br />
A6. Selection and<br />
66. Design Specifications 55. Software Architectural<br />
qualification of software<br />
Design<br />
tools and libraries (Part<br />
7. Software Description<br />
6. Software Detailed<br />
10 Safety Extensions)<br />
8. Software Development Design B3. System Architectural<br />
Design<br />
Lero ©2009<br />
A7. Software Design<br />
B4. Documentation<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
18
Testing and Integration<br />
Group Mappings<br />
FDA Areas Associated IEC 62304 Associated ISO/IEC<br />
Processes 1504-5 Processes<br />
99. Validation Validation, Verification 77. Software Unit<br />
A8 A8. Software<br />
and Testing<br />
Implementation and<br />
Verification<br />
8. Software Integration<br />
Construction<br />
A9 A9. Software Integration<br />
and Integration Testing A10. Software Testing<br />
Lero ©2009<br />
9. Software System<br />
Testing<br />
B5. System Integration<br />
B6. System y Testingg<br />
A11. Verification<br />
A12. Validation<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
19
Supporting Processes<br />
Group Mappings<br />
FDA Areas Associated IEC 62304<br />
Processes<br />
Associated ISO/IEC 1504-5 Processes<br />
10.Revision<br />
Level<br />
10.Software Release B7. Product Release<br />
History 11.Software<br />
Configuration<br />
B8. Product Acceptance Support<br />
Management B9. Software Installation<br />
Lero ©2009<br />
12.Software<br />
Maintenance<br />
13.Software Problem<br />
Resolution<br />
A13. Configuration Management<br />
A14. Problem Resolution<br />
Management<br />
A15 A15. Ch Change RRequest t MManagement t<br />
A16. Software and System<br />
Maintenance<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
20
Additional Requirements<br />
Group Mappings<br />
FDA Areas Associated IEC 62304<br />
Processes<br />
ISO 13485 14.Quality<br />
Management g<br />
System<br />
Lero ©2009<br />
Associated ISO/IEC 1504-5 Processes<br />
B10. Quality Assurance<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
21
Phase 1<br />
Proposed Phases of<br />
<strong>Medi</strong> <strong>SPICE</strong> Delivery<br />
16 processes of which a high proportion of their defined base<br />
practices p will be required q either in their current state or in a<br />
revised state to satisfy the regulatory demands of the medical<br />
device industry.<br />
Phase 2<br />
10 processes which contain a much smaller proportion of<br />
ddefined fi d bbase practices ti th that t will ill bbe required i d either ith iin th their i<br />
current state or in a revised state to satisfy the regulatory<br />
demands of the medical device industry<br />
Phase 3<br />
Lero ©2009<br />
Delivery of remaining <strong>Medi</strong> <strong>SPICE</strong> processes<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
22
<strong>Medi</strong> Spice Delivery Phase 1<br />
ISO/IEC 15504-5 Processes to be<br />
extended<br />
Resultant <strong>Medi</strong> <strong>SPICE</strong> Processes<br />
A1. Risk Management<br />
Risk Management<br />
A2. Safety Management (Part 10)<br />
Safety Management<br />
A3. Safety Engineering (Part 10)<br />
Safety Engineering<br />
A4. Software Requirements Analysis Software Requirements Analysis<br />
A5. Project Management<br />
Project Management<br />
A6 A6. Selection and qualification of software Selection and qualification of software tools<br />
tools and libraries (Part 10)<br />
and libraries<br />
A.7 Software Design<br />
Software Design<br />
A.8 Software Construction<br />
Software Construction<br />
A.9 SSoftware f Integration<br />
SSoftware f Integration<br />
A.10 Software Testing<br />
Software Testing<br />
A.11 Verification<br />
Verification<br />
AA.12 12 Validation<br />
Validation<br />
A.13 Configuration Management<br />
Configuration Management<br />
A.14 Problem Resolution Management Problem Resolution Management<br />
A.15 Change Request Management<br />
Change Request Management<br />
A16S A.16 Software ft and dS System t Maintenance M i t<br />
SSoftware ft and d SSystem t MMaintenance i t<br />
23<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
<strong>Medi</strong> Spice Delivery Phase 2<br />
ISO/IEC 15504-5 Processes to be Resultant <strong>Medi</strong> <strong>SPICE</strong> Processes<br />
extended<br />
B1. Requirements q Elicitation 16 Phase 1 processes p<br />
B2. System Requirements Analysis<br />
B3. System Architectural Design<br />
+<br />
B4. Documentation<br />
Requirements Elicitation<br />
B5. System Integration<br />
System Requirements Analysis<br />
B6. Product Release<br />
System Architectural Design<br />
B7. Product Acceptance Support Documentation<br />
B8. System Testing<br />
System Integration<br />
B9. System Installation<br />
Product Release<br />
B10. Quality Assurance<br />
Product Acceptance Support<br />
SSystem TTesting i<br />
System Installation<br />
Quality Assurance<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
24
<strong>Medi</strong> Spice Delivery Phase 3<br />
ISO/IEC 15504-5 Processes to be Resultant <strong>Medi</strong> <strong>SPICE</strong> Processes<br />
extended<br />
25 Remaining ISO/IEC 15504-5 15504 5<br />
Processes<br />
Lero ©2009<br />
26<br />
(16 Phase 1 + 10 Phase 2 processes)<br />
+<br />
25 Remaining Processes<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
25
LERO© 2009<br />
Mappings for each<br />
M<strong>Medi</strong> di <strong>SPICE</strong> process<br />
ISO/IEC 15504<br />
Practices required by<br />
ISO/IEC 15504<br />
only<br />
Practices<br />
required by both<br />
ISO/IEC 15504 &<br />
RRegulatory l t<br />
Compliance<br />
<strong>Medi</strong>cal Device Regulations<br />
Practices<br />
required<br />
for regulatory g y<br />
Compliance<br />
only<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
<strong>Medi</strong> <strong>SPICE</strong> RM Process<br />
<strong>Medi</strong> <strong>SPICE</strong> RM process has the same base<br />
practice titles as ISO/IEC 15504 but amended<br />
content<br />
• BP1: Establish risk management g scope; p ;<br />
• BP2: Define risk management strategies;<br />
• BP3: Identify risks;<br />
• BP4: Analyse risks;<br />
• BP5 BP5: DDefine fi andd perform f risk i k ttreatment t t actions; ti<br />
• BP6: Monitor risks;<br />
• BP7: Take preventative or corrective action.<br />
LERO© 2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Risk Management g Process<br />
The medical device standards and<br />
guidelines g have been mapped pp against g<br />
ISO/IEC 15504-5 to produce the <strong>Medi</strong><br />
<strong>SPICE</strong> Risk Management process process.<br />
New sub-practices have been added to<br />
the ISO/IEC 15504-5 Risk Management g<br />
process to create the <strong>Medi</strong> <strong>SPICE</strong> Risk<br />
Management process.<br />
process<br />
LERO© 2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
LERO© 2009<br />
<strong>Medi</strong> <strong>SPICE</strong> RM Base Practices<br />
BP1: Establish Risk Management scope<br />
Sub-Practice Specified Specified in<br />
in ISO/IEC the <strong>Medi</strong>cal<br />
15504-5 ? device<br />
regulations ?<br />
Determine the scope of f risk<br />
management to be performed.<br />
Yes Yes<br />
Define the scope of the strategy and<br />
No Yes – ISO<br />
include those life-cycle phases for<br />
which the strategy is applicable<br />
14971<br />
Section 3.4a<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Practice<br />
Summary – <strong>Medi</strong> <strong>SPICE</strong><br />
RM Base Practices<br />
ISO/IEC 15504-<br />
5 Sub-Practices<br />
ISO/IEC 15504-5 Sub-<br />
Practices required to meet<br />
regulatory l t medical di l device d i<br />
requirements<br />
Additional Sub-Practices<br />
required to meet regulatory<br />
medical di l device d i requirements i t<br />
Establish risk 1 1 1<br />
management scope<br />
Define<br />
management<br />
strategies<br />
risk 1 1 11<br />
Identify risks 2 1 3<br />
Analyse risks 1 1 0<br />
Define and 1 1 5<br />
Perform risk<br />
treatment actions<br />
Monitor risks 1 1 2<br />
Take Preventative 1 1 1<br />
or<br />
action<br />
Corrective<br />
Total 8 7 23<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
30
Summary for <strong>Medi</strong> <strong>SPICE</strong> RM<br />
With respect to the base practices of the RM process:<br />
•following the ISO/IEC 15504-5 RM process will only partially<br />
meet the goals of the medical device guidelines<br />
• only 1 of the 7 ISO/IEC 15504-5 RM base practices fully<br />
satisfies the requirements of the associated <strong>Medi</strong> <strong>SPICE</strong> RM<br />
practice (Analyse Risks)<br />
• only 8 of the 31 <strong>Medi</strong> <strong>SPICE</strong> RM sub-practices are required<br />
by the ISO/IEC 15504-5 RM practice<br />
•With 23 new sub-practices having to be added<br />
LERO© 2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
LERO© 2000<br />
Mappings for the <strong>Medi</strong> <strong>SPICE</strong><br />
RM process<br />
ISO/IEC 15504<br />
1 Sub Sub- Practice<br />
required by<br />
ISO/IEC 15504 only<br />
7<br />
Sub Sub-Practices Practices<br />
required<br />
by both<br />
<strong>Medi</strong>cal Device<br />
Regulations<br />
23<br />
Sub Sub-Practices Practices required<br />
by the medical device<br />
regulations<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
Project j Organisation g<br />
Research team<br />
- Core team - (from DkIT and Lero in Ireland)<br />
- Extended core team – international<br />
Collaboration teams (international)<br />
( )<br />
- <strong>Medi</strong>cal Device Software processes<br />
- Global Software development strategies<br />
- SSoftware ft process assessment t and d improvement<br />
i t<br />
Ad Advisory i Board B d<br />
- <strong>Medi</strong>cal Device Software industry (companies and<br />
<strong>Medi</strong>cal Device Associations)<br />
Lero ©2009<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE<br />
33
Future<br />
PProject j t will ill now bbe really ll ki kicking ki off ff<br />
LERO© 2009<br />
Want to gain involvement of wider <strong>SPICE</strong><br />
Community in <strong>Medi</strong> <strong>SPICE</strong><br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE
QQuestions? i ?
LERO© 2008<br />
This research is supported by Science Foundation Ireland through the Stokes<br />
Lectureship Programme, grant number 07/SK/I1299 and Lero - the Irish<br />
Software Engineering Research Centre. Centre<br />
Thank You<br />
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE