Abstract
Software failures in medical devices can lead to catastrophic situations. Therefore, it is crucial to handle software-related risks when developing medical devices, and there is a need for further analysis of how this type of risk management should be conducted. The objective of this paper is to collect and summarise experiences from conducting risk management with an organisation developing medical devices. Specific focus is put on the first steps of the risk management process, i.e. risk identification, risk analysis, and risk planning. The research is conducted as action research, with the aim of analysing and giving input to the organisation’s introduction of a software risk management process. First, the method was defined based on already available methods and then used. The defined method focuses on user risks, based on scenarios describing the expected use of the medical device in its target environment. During the use of the method, different stakeholders, including intended users, were involved. Results from the case study show that there are challenging problems in the risk management process with respect to definition of the system boundary and system context, the use of scenarios as input to the risk identification, estimation of detectability during risk analysis, and action proposals during risk planning. It can be concluded that the risk management method has potential to be used in the development organisation, although future research is needed with respect to, for example, context limitation and how to allow for flexible updates of the product.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Boehm, B. (1991). Software risk management: Principles and practices. IEEE Software, 8(1), 32–41.
Bovee, M. W., Paul, D. L., & Nelson, K. M. (2001). A framework for assessing the use of third-party software quality assurance standards to meet FDA medical device software process control guidelines. IEEE Transactions on Engineering Management, 48(4), 465–478.
Charette, R. N. (1989). Software engineering risk analysis and management. New York: Intertext.
Chiozza, M. L., & Ponzetti, C. (2009). FMEA: A model for reducing medical errors. Clinica Chimia Acta, 404(1), 75–78.
Commission of the European Communities (1993). Council Directive 93/42/EEC EEC.
Crouhy, M., Galai, D., & Mark, R. (2006). The essentials of risk management. Maidenherd: McGraw-Hill.
Dey, P. K., Kinch, J., & Ogunlana, S. O. (2007). Managing risk in software development projects a case study. Industrial Management and Data Systems, 107, 284–303.
Dhillon, B. S. (2000). Medical device reliability and associated areas. Boca Raton: CRC press Taylor & Francis Group.
Dhillon, B. S. (2008). Reliability technology, human error and quality in health care. Boca Raton: CRC press, Taylor & Francis Group.
Fairley, R. E. (2005). Software risk management. IEEE Software, May/June, p. 101, 2005.
FDA (1996). Do it by design: An introduction to human factors in medical devices.
FDA (2000). Medical Devise Use-Safety: Incorporating Human factors Engineering into Risk Management.
FDA (2005). Food, Drug and Cosmetic Act section 201(h).
Gall, H. (2008). Functional Safety IEC 61508/IEC 61511. The Impact to Certification and the User, IEEE International Conference on Computer Systems and Applications.
Garde, S., & Knaup, P. (2006). Requirements engineering in health care: the example of chemotherapy planning in paediatric oncology. Requirements Engineering, 11(4), 265–278.
Habraken, M. M. P., Van der Schaal, T. W., Leistikow, I. P., & Reijnders-Thijssen, P. M. J. (2009). Prospective risk analysis of health care processes: A systematic evaluation of the use of HFMEA in Dutch health care. Ergonomics, 52, 809–819.
Hall, E. M. (1998). Managing risk: Methods for software systems development. Reading: Addison Wesley.
Hegde, V. (2011). Case study: Risk management for medical devices. In Proceedings of reliability and maintainability symposium (RAMS), Lake Buena Vista, Florida, USA.
Jones, C. (1994). Assessment and control of software risks. Englewood: Prentice-Hall.
Leveson, N. G. (1995). Safeware: System safety and computers. Reading: Addison-Wesley.
Leveson, N. G. (2011). Engineering a safer world: Systems thinking applied to safety, engineering systems. Cambridge: MIT Press.
Leveson, N. G., & Turner, C. (1993). An investigation of the Therac-25 accidents. IEEE Computer, 26, 18–41.
Linberg, K. R. (1993). Defining the role of software quality assurance in a medical device company. In Proceeding of 6th annual IEEE symposium on compute-based medical systems, pp 278–283.
Lindholm, C., Pedersen Notander, J., & Höst M. (2012). A case study on software risk analysis in medical device development, In Proceeding of 4th software quality days 2012, Vienna, Austria.
McCaffery, F., McFall, D., Donnelly, P., Wilkie F. G., & Steritt, R. (2005). A software process improvement lifecycle framework for the medical device industry. In Proceeding of 12th IEEE international conference and workshops of the engineering of computer-based systems (ECBS′05), pp. 273–280.
McCaffery F., Burton J., & Richardson I. (2009). Improving software risk management in a medical device company. In Proceedings of international conference on software engineering (ICSE), Vancouver, Canada.
McCaffery, F., Burton, J., & Richardson, I. (2010). Risk management capability model for the development of medical device software. Software Quality Journal, 18, 81–107.
Rakitin, S. R. (2006). Coping with defective software in medical devices. IEEE Computer, 39(4), 40–45.
Reason, J. (1990). Human error. Cambridge: Cambridge University Press.
Robson, C. (2002). Real world research (2nd ed.). Oxford, UK: Blackwell Publishers.
Runeson, P., & Höst, M. (2009). Guidelines for conducting and reporting case study research in software engineering. Empirical Software Engineering, 14(2), 131–164.
Sayre K., Kenner J., & Jones P. (2001). Safety models: an analytical tool for risk analysis of medical device systems. In Proceedings of 14th IEEE symposium on computer-based medical systems (CMBS’01), Maryland, USA.
Schmuland, C. (2005). Value-added medical-device risk management. IEEE Transactions on Device and Materials Reliability, 5(3), 488–493.
Schneider, P., & Hines, M.L.A. (1990). Classification of Medical Software. In Proceedings of the IEEE symposium on applied computing, pp 20–27.
Sommerville, I. (2007). Software engineering (8th ed.). Readings: Addison Wesley.
Svensson Fors D., Magnusson B., Gestegård Robertz S., Hedin G., & Nilsson-Nyman E. (2009). Ad-hoc composition of pervasive services in the PalCom architecture. In Proceedings of the ACM international conference on pervasive services (ICPS’09), pp 83–92.
Vishnuvajjala, R.V., Subramaniam, S., Tsai, W.T., Elliot, L., & Mojedehbaksh, R. (1996). Run-time assertion schemes for safety-critical systems. In Proceedings of the 9th IEEE symposium on computer-based medical systems, pp 18–23.
Walsh, T., & Beatty, P. C. W. (2002). Human factors error and patient monitoring. Physiological Measurement, 23(3), 111–132.
Xiuxu, Z., & Xiaoli, B. (2010). The application of FMEA method in the risk management of medical devices during the lifecycle. In Proceedings of 2nd international conference on e-business and information system security (EBISS), China.
Yin, R. K. (2003). Case study research: Design and methods (3rd ed.). Beverly Hills: Sage.
Acknowledgments
The authors would like to gratefully acknowledge the persons involved in this case study. The authors would also like to acknowledge Gyllenstiernska Krapperup-stiftelsen for funding the research studies of Christin Lindholm. This work was also partly funded by The Swedish Foundation for Strategic Research under a grant to Lund University for ENGROSS-ENabling GROwing Software Systems. Prof. Boris Magnusson is acknowledged for the support in the study and the writing of this paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Lindholm, C., Notander, J.P. & Höst, M. A case study on software risk analysis and planning in medical device development. Software Qual J 22, 469–497 (2014). https://doi.org/10.1007/s11219-013-9222-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11219-013-9222-2