risk management in development of life critical systems

®

IBM Software Group

© 2009 IBM Corporation

Risk Management in Developing Life Critical Systems

Kimberly Roberts-CobbIndustry Solution ExecutiveIBM Software Group, Rational Tiger [email protected]

IBM Software Group | Rational software

2


2

Agenda

Smarter Life Critical Systems and Products – a definition

What is Safety? Risk and Hazard Analysis

Product Development Best Practices

Rational Platform for Smarter Medical Device Development

Success stories based on IBM solutions

Questions and Next Steps


3


3

Software, including artificial intelligence, monitors medical device data intake (e.g., physiological data) and sends alerts to caregivers. Chemical and biologic sensors monitor changes in patients’ vital signs and physiology. Micro-manipulation robotics and endoscopic imagery enable minimal invasive surgery.

Life critical systems and devices are becoming instrumented, interconnected and intelligent, resulting in smarter devices

3

INSTRUMENTED INTERCONNECTED

.

INTELLIGENT

And technological advances are enabling medical systems and devices to become smarter

Smart products transcend “one-size-fits-all” products enabling customers to get exactly what they want – tailored to their unique needs

Wireless technologies such as Zigbee (low-power personal area network standard), Bluetooth, WiFi, cell phones, and RFID enable medical devices to communicate with caregivers, electronic medical records, and other devices. Wireless technologies support physiological telemetry systems that monitor patients in real-time

Miniaturization in electro-mechanical components and electronics, including nanotechnology, enables devices to become portable, wearable and implantable. Passive, active, electromechanical and semi conductive sensors respond to patients’ physical changes (e.g., pressure, motion, thermal energy).

IBM Rational software

4

Software drives innovation in smarter life critical systems and devices

Software is key component in differentiating medical systems and products

Increasing amount functionality is now provided by software

Software increases risk: Device safety often now depends on proper software operation

FDA is increasing scrutiny of software controls for device manufacturers Drug and Device Accountability Act of 2009

proposes stiff financial penalties and even jail time for inaccuracies in certification

Effective risk vs. reward in software delivery is a business critical imperative

Globalization and interconnected systems make compliance even more complex


5

Examples of IBM Rational and smarter life critical systems and devices

Endless possibilities with the growing trend of embedded software

Implantable Defibrillators Implantable Defibrillators Delivers a life-saving shock to restore the

heart to a more normal rateDelivers a life-saving shock to restore the

heart to a more normal rate

Operating Room Navigation SystemsOperating Room Navigation SystemsTrack spatial location of surgical instruments during procedureTrack spatial location of surgical instruments during procedure

Medtronics LandmarX ElementEndoscopic Image Guidance System

Medtronics LandmarX ElementEndoscopic Image Guidance System

Infusion PumpsInfusion PumpsHelps prevent errors in delivering medicine dosageHelps prevent errors in delivering medicine dosage

Cardinal HealthAlaris System

Cardinal HealthAlaris System

Next Generation CT Scanners Next Generation CT Scanners An "early health" model of care focused on earlier

diagnosis, disease detection and prevention.An "early health" model of care focused on earlier

diagnosis, disease detection and prevention.

GE HealthcareCT Scanner

GE HealthcareCT Scanner


6


6

Agenda

Smarter Life Critical Systems and Products – a definition



Rational Platform for Smarter Medical Device Development Success stories based on IBM solutions



7


7

What is Safety?

Safety is freedom from accidents or losses.

Safety is not reliability! Reliability is the probability that a system will perform its intended function

satisfactorily.

Safety is not security!Security is protection or defense against attack, interference, or espionage.


8


8

Safety-Related Concepts

Accident is a loss of some kind, such as injury, death, or equipment damage

Risk is a combination of the likelihood of an accident and its severity:risk = p(a) * s(a)

Hazard is a set of conditions and/or events that leads to an accident.

Failure is the nonperformance of a system or component, not a random faultA random failure is one that can be estimatedFailures are eventse.g., a component failure

Error is a systematic fault A systematic fault is a design errorErrors are states or conditionse.g., a software bug

A fault is either a failure or an error


9


9

Safety Measures

Safety measures do one of the following: Remove the hazard Reduce the risk, either by

Reducing the likelihood of the accident Reducing the severity of the accident

Identify the hazard to supervisory personnel so that they can handle it within the fault tolerance time

The purpose of the safety measure is to avoid accident or loss

The FDA and similar governing bodies are primarily concerned with health/safety – i.e. patient harm risks related to active lack of safety and risks related to ineffective performance of intended functions,

on which patients and care providers might reasonably rely to avoid patient harm, are to be analyzed. If harm can occur through the function or dysfunction of the device, there's a hazard or risk to be analyzed and mitigated.

The business is concerned with both health/safety and functionality A failure mode whose impact on health is a 0 but impact on functionality is a 10. E.g., if this happens,

the device will absolutely not work, but there is absolutely no impact to health or safety. This type of device failure could still be a critical business issue despite lack of harm


10


10

The Basic Risk Management Process

Risk Analysis Intended use Hazard Identification Risk estimation (likelihood/severity)

Risk Evaluation Acceptability decisions

Risk Control Options Implementation Residual risk evaluation and overall risk acceptance

Post Production Post production actual experience Review of risk management experience

Ris

k A

sses

smen

tR

isk

Ass

essm

ent

Ris

k M

anag

emen

tR

isk

Man

agem

ent


11


11

Risk Assessment Methods

Common Risk Assessment Methods

1. Risk matrix

2. Preliminary Hazard Analysis (PHA)

3. Fault Tree Analysis (FTA)

4. Failure Mode Effects (Criticality) Analysis (FMEA/FMECA)

5. Hazard Operability Analysis (HAZOP)

6. Hazard Analysis and Critical Control Point (HACCP)

The FDA "Pre-production Quality Assurance Planning Recommendations For Medical Device Manufacturers" identifies three methods for risk analysis:

•Failure mode effects analysis (FMEA)•Fault tree analysis (FTA)•Failure mode effects criticality analysis (FMECA)

The FDA "Pre-production Quality Assurance Planning Recommendations For Medical Device Manufacturers" identifies three methods for risk analysis:

•Failure mode effects analysis (FMEA)•Fault tree analysis (FTA)•Failure mode effects criticality analysis (FMECA)


12


12

Product Development and Risk Management

Basic Product Development Phases

Phase 1 – Researching new opportunitiesPhase 2 – Proving feasibilityPhase 3 – Scheduled development (prototypes)Phase 4 – Validation (clinical trials)Phase 5 – Delivery (launch) and Maintenance

The Timing of Risk MitigationThe purpose of risk mitigation (FMEA/Hazard Analysis) is to affect the design. The time to begin this process is when competing designs are being considered (phases 1 and 2). The FDA requires a risk assessment (hazard analysis) as a deliverable, but if done late in the product lifecycle this is primarily a documentation exercise rather than a true control measure used to identify and mitigate design choices that should not have been chosen or which introduce higher risk or more costly development.

Concept & Feasibility Design Develop Test Produce

Design Control

Product Portfolio Planning & Requirements

Specification, Modeling, Simulation

Build & Release

Verification and Validation

Change Control

Risk Assessment

Preliminary Hazard Analysis and Risk Management Plan

Detailed risk analysis (FMEA, FTA)

Risk Management Report

Risk Reviews


13


13

Agenda

Smart medical device – a definition







14

Best Practices for Smarter and Safer Product Development

1. Evolve Product Portfolios effectivelyBalance potential product reward with risk to choose the right product design, at the right time, for the right market: Risk Estimation/Balancing

2. Begin Hazard Analysis at the Requirements stage Capture, define, analyze potential hazards up front while developing and managing the requirements: Preliminary Hazard Analysis and Risk Management Plan

3. Develop Systems and Software in a Model-Driven wayVisually develop complex systems using a structured approach and introduce control measures to balance risk vs reward in design choices: Detailed risk analysis (FTA)

4. Control Change for Good Manufacturing Practice (GMP) Establish an integrated change process across the lifecycle: Manage Safety Impact of Changes

5. Metrics, Measurement, Reporting and Automated Document GenerationGenerate the right document at the right time across the development disciplines to adhere to standards and demonstrate compliance: Dynamically Monitor Risk Factors and Generate Risk Management Reports

6. Improve Quality from the Beginning through the EndMake quality management a continuous lifecycle activity: Verification and Validation


15

Determine risk elements up front and balance risk with reward – perform decision analysis inclusive of increased or decreased risk of harm and/or higher/lower profit and reliability

Compare and rank features and functions against possible hazards and impact on sales/profitability

Utilize visualization, prioritization, and unique road mapping and planning capabilities

Centralize information for key decision-making and status reporting

Ensure most valuable capabilities are not unintentionally minimized or eliminated

Use objective information to overcome the influence of the loudest voice

Product Portfolio Management - Evolve Product Portfolios Effectively

Best Practice 1: Product Line Portfolio Management

(generated from Rational FocalPoint)(generated from Rational FocalPoint)


16

Requirements Management across the Product LifecycleCapture, define, analyze, and manage requirements

Create Preliminary Hazard Analysis and Risk Management Plans

Improves visibility of and collaboration on requirements for all product stakeholders

Comprehensive support for recording, structuring, managing, and analyzing requirements, hazards and their traceability across development

Supports FDA CFR21 Part 11 compliant electronic signatures for sign off of specification baselines

Integrates with portfolio management, modeling, change management and quality management solutions for a full lifecycle solution

Best Practice 2: Requirements Engineering and Management

(generated from Rational DOORS)(generated from Rational DOORS)


17

Develop Systems and Software in a Model-Driven wayVisually develop complex systems using a structured approach

Design and analyze the system and to identify the conditions and events that can lead to hazards

Traceability from requirements through implementation and test

Validate, simulate and verify design and implementation during entire product lifecycle

Customizable documentation generation automates FDA documentation submission

Visual modeling manages complexity and improves communication

Generate production quality code for embedded targets

Reduce testing time and improve results with model-driven testing

Leverage and visualize existing code for documentation

Best Practice 3: Model Driven Systems Engineering

(generated from Rational Rhapsody)(generated from Rational Rhapsody)


18

Design for Safety

The key to safe systems is to analyze the system and to identify the conditions and events that can lead to hazards

Fault Tree Analysis (FTA) determines what logical combination of events and conditions lead to faults

By adding “ANDing-redundancy”, architectural redundancy can be added

Fault Tree Analysis determines what combinations of conditions or events are necessary for a hazard condition to

occur



19


19

Model system use cases to understand and identify potential hazards and risks




20


20

Link requirements to use cases to ensure all uses are fully understood so hazards can be identified earlier




21


21

Produce Hazard and fault tables as part of your development and ongoing risk management process not “after the fact”




22


22

Link potential faults to requirements for clarity on requirements with hazard mitigations




23

Control Change for Quality Systems Good Manufacturing Practice Establish an integrated change process across the lifecycle

Testing Eco-system

Manage Portfolio &

Product Priorities

Develop Model-Driven

System -> Software

Collaboration,Process, Workflow

ExecuteTests

Capture & manage

requirements

Integrated Change

Management

Configuration Management

Integrate Suppliers

Capture customer requests & market

driven enhancements

Mechanical

Collaborate across Development Disciplines

Electrical

Software

Best Practice 4: Integrated Change and Configuration Management


24

Use Metrics and Dynamic Reporting to Reduce Risk

Make more informed, faster, and more aligned decisions to reduce risk & costs

Full range of BI capabilities for all software delivery communities to receive relevant information with connection to live ALM data– in a single integrated offering

Open enterprise-class platform to cost-effectively scale to meet user demands

Why?Reporting & Analysis

How are we doing?Scorecards & Dashboards

Best Practice 5: Metrics, Measurement and Report Generation

(generated from Rational Insight)(generated from Rational Insight)


25

Automate Document GenerationGenerate the right report and the right document at the right time

Increase productivity by allowing engineers to focus on engineering, NOT formatting concerns

Maintain accuracy through quick one-click document generation that captures last minute changes to data held in disparate source applications

Enhance documentation quality and consistency by sharing and reusing templates

Deploy a consistent set of reports, measurements, and dashboards with tight integrations to tools across the Rational and Telelogic ALM product lines, and other common/3rd data sources

Measure, monitor and analyze data to improve efficiency and process maturity, as well as early identification and mitigation of risks.

Best Practice 5: Metrics, Measurement and Report Generation

(generated from Rational Publishing Engine from data sources of Rational RTC and RQM)(generated from Rational Publishing Engine from data sources of Rational RTC and RQM)


26

Improve Quality from the Beginning through the EndMake quality management a continuous lifecycle activity

Unify the entire team with a shared view of quality assets

Comprehensive dynamic planning and updates

Intelligent automation to improve accuracy and efficiency

Automated reporting to enhance project decision-making

Best Practice 6: Continuous Quality Management

RMPPM RM

PPM

QM


27


27

Agenda








28

Lagging

Modern Approaches for Describing Systems Are EvolvingTo Better Manage Complexity and Reduce Time-to-market

Moving from manual methods to an automated approach

Specifications

Interface requirements

System design

Risk Analysis & trade-off

Test plans

Leading

Organizations are looking for a productivity breakthrough. Not just incremental improvement. How can we significantly increase the value from our product delivery platform?


2929

Collaborate ImproveAutomate

Collaborate across diverse engineering disciplines and development teams

Achieve “quality by design” with an integrated, automated

testing process

Manage all system requirements with full traceability across

the lifecycle

Use modeling to validate requirements, architecture and design throughout

the development process

Rational Rhapsody

RationalQuality Manager

RationalRRC/DOORS

RationalTeam Concert

The design and delivery of smart products is enabled by a collaborative solution that facilitates innovation while fostering visibility and integration to quantify hazards and risks


30

Rational Combined Portfolio in Action Industry’s most comprehensive offering

System and Software Lifecycle Process Management

RequirementsDefinition &Management

Analysis & Design

Quality Management

Release Management

Team Management

Configuration & Change Mgmt

Production / Operations

Enterprise Architecture/Architectural Frameworks

Measurement &Reporting

Product, Project &Portfolio Management


31


31

Agenda








32

Aberdeen Study on Best in Class Product Development

Performance measures of Best in Class

Achieve quality targets 95% on average, 12% above Industry average, 1.8 times as often as laggards

Achieve product launch dates 92% on average, 21% above Industry average, 2.9 times as often as laggards

Achieve revenue targets 96% on average, 25% above Industry average, nearly twice as often as laggards

Common characteristics of Best in Class

Manage Requirements: Twice as likely as the Industry average and 3 times as likely as laggards to address entire lifecycle of requirements

Leaders in Systems Modeling and Simulation. 5 times as likely as the Industry average and 7 times as likely as laggards to digitally validate system behavior with the simulation of integrated mechanical, electrical and software components

Manage Change: 51% more likely than Industry average and 3 times more likely than laggards to notify other disciplines of changes.

AberdeenSystem Design: New Product Development for Mechatronics

Inclusion of embedded software components in product development

66%34%


33

What’s smart? Intelligent ventilation for intensive care Innovative cockpit display, ease of use Frees medical staff, improves patient

outcome, reduces cost

Smarter business outcomes: Earlier error recognition, using modeling

approach with code generation Consistent documentation with direct

association between design and code Improved collaboration

How Rational Rhapsody helps: Proven embedded and real-time track record Code generation Re-usable Software Platform

"Thanks to graphical representation of processes and states and being able to execute them, we

now have a significantly improved basis for discussion. It's also easier for new employees to

get going - provided they have some basic understanding of UML and Rhapsody®, “Andreas Anderegg – Software Engineer

Customer Success: Safe Ventilation – at rest and on the move Hamilton Medical AG and IBM partner EVOCEAN GmbH


34

Customer Success: Innovation, streamlined audits, increased quality Waters Corporation

“After about 15 minutes of spending with the auditor, he was just blown away on how effective the Rational tools were in

terms of addressing all of his audit questions.”

What’s smart? Efficient systems for verifying the purity of drugs, food

products and water resources. Highly accurate blood tests with greater precision for

healthcare diagnosis

Smarter business outcomes Innovation to enable significant advancements in

healthcare delivery, environmental management, food safety, and water quality worldwide

Increased quality and throughput of the assays performed with cost effective technology

How Rational enables smarter products Full traceability with an integrated requirements,

change, and configuration management solution Performance improvement through global

collaboration and component based development


35

Customer Success: Mobile access to medical images Merge Healthcare

What’s smart?

Provides medical professionals access to complex medical images on mobile devices

Helps facilitate prompt access to medical imaging data – anytime or anywhere*

Smarter business outcomes

Reduced hospital operations costs

Reliable, secure, scalable delivery of medical images and reports

How Rational enables smarter products

Collaboration across globally distributed development teams

Change management across the end-to-end software lifecycle **Product not yet released

“We rely on (Rational Change and Configuration Management Solutions)

to manage the complexity of the software and to ensure that our global development teams operate as one, for the best result to our customers. This software from IBM

is part of our livelihood; it's our DNA.”


36

Customer Success: Going Agile with Global CollaborationReducing Cost in a Global Context – Medical Device Company

Environment Issues Improved Outcomes

Desire to use Agile techniques thwarted by internal process overhead

No global access to assets Poor change management

support for parallel development

Multiple points of failure No continuous integration Lack of compliance support

1000+ users worldwide 3 development sites

(US, Europe, India) Continuous unit testing

required with strong auditing Heterogeneous development

infrastructure

Global Agile development process supported by repeatable deployment model

Iterations accelerated 3X, build times reduced by 65%

Improved compliance Secure developer self-

service established $6M+ savings per year over

3 years

“We were interested to adopt Agile Development, but were limited by an inflexible, non-standard process. Each team did their own thing, and there were multiple points of failure on each project.”


37

Summary: IBM Rational Solution for Developing Life Critical Systems

Deliver life critical systems and medical devices that address market needs through portfolio management

Provide clear audit trail across the development lifecycle with requirements management

Validate designs and associated risks early with model driven development and model and manage safety risks and hazards FTAs

Integrate change management processes to coordinate development in a collaborative platform

Automate document generation for compliance

Drive quality throughout the product lifecycle

Execute best practices and collaborate through an integrated product lifecycle solution

Execute best practices and collaborate through an integrated product lifecycle solution

Powered by


38


38

© Copyright IBM Corporation 2008. All rights reserved.

The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way.

IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

risk management in development of life critical systems

Technology

software software

device safety

medical systems

smarter devices software

medical devices

interconnected systems

software delivery

active lack of safety