A security flaw is identified in another medical device, another set of patient data results is mixed up, configuration information is lost after a software update, another device fails to perform as intended. News stories continue to implicate software in medical device failures as the use of software in healthcare continues to grow. We don’t leverage a common language to describe defects in software, which limits our ability discover how the defects become part of a medical device, understand what defects are common across the sector or product classes, or how to prevent defects in the future.
AAMI has developed a new standard that is out for public review: SW91 Classification of Defects in Health Software. This standard aims to address this problem by providing a common language to describe software defects. It includes a base set of defects that occur during all phases of the software and product development life cycles, but is flexible enough that new defect types can be added as technology and development methods evolve. It is technology, methodology, and programming-language neutral so that all organizations can use and share information.
Companies often have an enterprise-wide method to describe the defects they identify in their products, although how they identify and characterize a defect may vary from company to company. This makes it impossible to anonymously gather and analyze common defect and failure information in a broader context, to explore defect trends across the sector, or to predict if the type and number of defects seen by a company is unusual. It may be that some types of problems are common or similar among different companies and that industry-wide training and tools could be developed to easily address them. Without a common way to classify and gather software defect information, the strength and usefulness of such methods and tools cannot be fully realized.
Gathering useful data on the causes of software-related failures could be greatly facilitated if there was a common way to identify and report the software defects that lead to these failures. Existing methods to describe defects often focus on capturing attributes of the defect and the failure such as priority, severity, probability of recurrence, and insertion activity. The values of some attributes are easily bounded (e.g., “High,” “Moderate,” “Low”) but the attributes to describe the cause of the defect itself are less clearly defined. Some taxonomies exist for specific failure modes, defects and weaknesses, although none are standardized or have gained traction for use across the medical device sector.
Please take a moment to download AAMI SW91 and provide your comments during the ballot period which ends Nov. 28, 2016. We encourage everyone developing, integrating or using medical devices and health software to review the standard and let us know what you think. Send your comments to me at firstname.lastname@example.org. If you have problems accessing this link, you can contact me at the same email address.
Wil Vargas is a standards director at AAMI.