Robert A. Martin 19 March 2018

Similar documents
CENTER FOR DEVICES AND RADIOLOGICAL HEALTH. Notice to Industry Letters

Model Based Systems Engineering

Principled Construction of Software Safety Cases

Software as a Medical Device (SaMD)

Combination Products Verification, Validation & Human Factors Sept. 12, 2017

Transitioning UPDM to the UAF

Developing and Distributing a CubeSat Model-Based Systems Engineering (MBSE) Reference Model Interim Status

Towards a multi-view point safety contract Alejandra Ruiz 1, Tim Kelly 2, Huascar Espinoza 1

Guidance for Industry and FDA Staff Use of Symbols on Labels and in Labeling of In Vitro Diagnostic Devices Intended for Professional Use

National Coordinated Registry Network (CRN) Think-tank

Background T

Implementing Quality Systems

Towards an MDA-based development methodology 1

Technology Needs Assessments under GEF Enabling Activities Top Ups

Deciding When to Submit a 510(k) for a Software Change to an Existing Device Draft Guidance for Industry and Food and Drug Administration Staff

Compliance & Safety. Mark-Alexander Sujan Warwick CSI

Global Harmonization Task Force

Applied Safety Science and Engineering Techniques (ASSET TM )

Safety Cases for Medical Devices and Health IT: Involving Healthcare Organisations in the Assurance of Safety. Mark A. Sujan

Deviational analyses for validating regulations on real systems

This document is a preview generated by EVS

CDRH PMA Critical to Quality (CtQ) Pilot

Thank you for the opportunity to comment on the Audit Review and Compliance Branch s (ARC) recent changes to its auditing procedures.

Workshop on Offshore Wind Energy Standards and Guidelines: Metocean Sensitive Aspects of Design and Operations in the United States July 17, 2014

Violent Intent Modeling System

Robert Bond Partner, Commercial/IP/IT

Environmental Protection Agency

SAFETY CASE PATTERNS REUSING SUCCESSFUL ARGUMENTS. Tim Kelly, John McDermid

IEEE STD AND NEI 96-07, APPENDIX D STRANGE BEDFELLOWS?

Pan-Canadian Trust Framework Overview

Part 2: Medical device software. Validation of software for medical device quality systems

Guidance for Industry

Value Paper. Are you PAT and QbD Ready? Get up to speed

Making your ISO Flow Flawless Establishing Confidence in Verification Tools

Draft executive summaries to target groups on industrial energy efficiency and material substitution in carbonintensive

A FRAMEWORK FOR PERFORMING V&V WITHIN REUSE-BASED SOFTWARE ENGINEERING

Ophthalmic Digital Health Areas

Technology Transfer: An Integrated Culture-Friendly Approach

Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

National Medical Device Evaluation System: CDRH s Vision, Challenges, and Needs

Technology Transition Assessment in an Acquisition Risk Management Context

Progressive Licensing and the Modernization of the Canadian Regulatory Framework

Importance of ICH Guidance in Fulfilling Process Validation Requirements

1. Redistributions of documents, or parts of documents, must retain the SWGIT cover page containing the disclaimer.

Protection of Privacy Policy

Progress in FDA s Drug Product Quality Initiative. Janet Woodcock, M.D. November 13, 2003

TGA Discussion Paper 3D Printing Technology in the Medical Device Field Australian Regulatory Considerations

ThinkPlace case for IBM/MIT Lecture Series

ICH Q8, 9 & 10 and the Impact on the QP

Methodology for Agent-Oriented Software

Agency Information Collection Activities; Proposed Collection; Comment Request; Good

Prof. Steven S. Saliterman. Department of Biomedical Engineering, University of Minnesota

Higher National Unit specification. General information for centres. Unit code: F1MM 34

Tutorials.

FY 2008 (October 1, 2007 September 30, 2008) NIMS Compliance Objectives and Metrics for Local Governments

SAFIR2014: CORSICA Coverage and rationality of the software I&C safety assurance

Developing and Distributing a CubeSat Model-Based Systems Engineering (MBSE) Reference Model

The Privacy Case. Matching Privacy-Protection Goals to Human and Organizational Privacy Concerns. Tudor B. Ionescu, Gerhard Engelbrecht SIEMENS AG

Model Based Design Of Medical Devices

A Safety Case Approach to Assuring Configurable Architectures of Safety-Critical Product Lines

Support of Design Reuse by Software Product Lines: Leveraging Commonality and Managing Variability

Details of the Proposal

510 (k) Summary. Imp SFB7 Body Composition Analyzer

A MODEL-DRIVEN REQUIREMENTS ENGINEERING APPROACH TO CONCEPTUAL SATELLITE DESIGN

EXPERIENCES OF IMPLEMENTING BIM IN SKANSKA FACILITIES MANAGEMENT 1

BUILDING INTEROPERABILITY STANDARDS FOR VITAL RECORDS

University of Massachusetts Amherst Libraries. Digital Preservation Policy, Version 1.3

National Provider Identifier (NPI) Frequently Asked Questions

Can the Innovation Watchdog Innovate? FDA s Recent Proposals to Streamline the Medical Device Clearance Process

Functional safety for semiconductor IP

Privacy Management in Smart Cities

Office of Pharmaceutical Quality: Why, What, and How?

DEPUIS project: Design of Environmentallyfriendly Products Using Information Standards

Toward Objective Global Privacy Standards. Ari Schwartz Senior Internet Policy Advisor

Human Factors Points to Consider for IDE Devices

Models, Simulations, and Digital Engineering in Systems Engineering Restructure (Defense Acquisition University CLE011)

Prof. Steven S. Saliterman. Department of Biomedical Engineering, University of Minnesota

4/8/2018. Prof. Steven S. Saliterman Department of Biomedical Engineering, University of Minnesota

TITLE V. Excerpt from the July 19, 1995 "White Paper for Streamlined Development of Part 70 Permit Applications" that was issued by U.S. EPA.

A Process Assessment Model for Assessing the Risk Associated with placing a Medical Device on a Medical IT Network

Delete Current Exhibit VI and replace with this Exhibit VI Keep same Title

TOWARDS AN ARCHITECTURE FOR ENERGY MANAGEMENT INFORMATION SYSTEMS AND SUSTAINABLE AIRPORTS

A Case for Regulatory Framework

Contextual Integrity through the lens of computer science

Outline. Outline. Assurance Cases: The Safety Case. Things I Like Safety-Critical Systems. Assurance Case Has To Be Right

ISO/IEC JTC 1/WG 11 N 49

progressive assurance using Evidence-based Development

Privacy Policy SOP-031

TABLE OF CONTENTS DUPONT TYVEK MEDICAL PACKAGING TRANSITION PROJECT (MPTP) EXECUTIVE SUMMARY JUNE 2016 THE FINAL PHASE EXECUTIVE SUMMARY 2

Autonomy Test & Evaluation Verification & Validation (ATEVV) Challenge Area

The European statement of principles on human machine interaction 2005

Standards and privacy engineering ISO, OASIS, PRIPARE and Other Important Developments

SYSTEM ANALYSIS & STUDIES (SAS) PANEL CALL FOR PAPERS

DHS-DOD Software Assurance Forum, McLean VA 6 Oct 2008 Very loosely based on Daniel s 2007 briefing

The Tool Box of the System Architect

REPRESENTATION, RE-REPRESENTATION AND EMERGENCE IN COLLABORATIVE COMPUTER-AIDED DESIGN

This is a preview - click here to buy the full publication

RAMI 4.0 and IIRA reference architecture models A question of perspective and focus

g~:~: P Holdren ~\k, rjj/1~

SECTION SUBMITTAL PROCEDURES

Transcription:

Robert A. Martin 19 March 2018

Students helped assemble a collection of commercial IoT devices and record their RF emissions

369 Requests for Information 299 Requests to Register 131 Teams entered the challenge 50% International (35 countries) 8 Teams submitted answers Team 0xDEADBEEF Wins Runners up: Team Pulzze Systems and Team Tietronixs

B 0x9 Preamble Payload C 0xd B 0x9 Clear cluster distinctiveness C 0xd

Expanding Attack Surfaces of Transportation Systems

The Key System Characteristics of Trustworthiness as a Quality Measure Industrial IoT Quality is a continuum of system characteristics OT Security (IEC 62443*) meets IT Security (ISO 27000*) Privacy (GDPR*), Resilience (ISO*, IEC*), Reliability (NIS*) are quality features in both OT and IT Determine and ensure quality measures per vertical, e.g. audit, certification

Claims of Trustworthiness Gathering Evidence for Assurance Cases

Claims of Trustworthiness Gathering Evidence for Assurance Cases

Claims of Trustworthiness Gathering Evidence for Assurance Cases

The Key System Characteristic: Safe

But if every IIoT System has a unique array of requirements how do we manage that? Possible IIoT System Trustworthiness Requirements

Group Requirements around families of IIoT Systems that similar functions, environment, and other context?

Infusion Pumps Total Product Life Cycle Guidance for Industry and FDA Staff Support for Safety Case Generation via Model Transformation Chung-Ling Lin, Wuwei Shen Department of Computer Science Western Michigan University Kalamazoo, MI, USA {chung-ling.lin, wuwei.shen}@wmich.edu Richard Hawkins Department of Computer Science The University of York York, UK richard.hawkins@york.ac.uk Document issued on: December 2, 2014 The draft of this document was issued on April 23, 2010. This document supersedes the Guidance on the Content of Premarket Notification [510(k)] Submissions for External Infusion Pumps, issued March, 1993. OMB Control Number: 0910-0766 Expiration Date: 5/31/2017 For questions regarding this document, please contact Alan Stevens, General Hospital Devices Branch, Office of Device Evaluation at 301-796-6294 or via email at alan.stevens@fda.hhs.gov. The technological features of the devices. For questions regarding safety assurance cases, please contact Richard Chapman, General Hospital Devices Branch, Office of Device Evaluation at 301-796-2585 You or should via email describe at how any differences in technology may affect the comparative safety and richard.chapman@fda.hhs.gov. performance of your device. For questions regarding pre-clearance inspections, please contact Francisco Vicenty, Respiratory, Ear/Nose/Throat, General Hospital, Infectious Control, and Ophthalmic 5. Safety Devices Assurance Branch, Case Office of Compliance at 301-796-5770 or via email at francisco.vicenty@fda.hhs.gov. Infusion pump 510(k) submissions typically include changes or modifications to software, materials, design, performance, or other features compared to the predicate. Accordingly, FDA expects that most new devices (as well as most changed or modified devices For questions pertaining to manufacturer reporting requirements, please contact Sharon Kapsch at 5 ) will have differences in technological characteristics from the legally marketed predicate device even if 301-796-6104 or via email at sharon.kapsch@fda.hhs.gov. sharing the same intended use. Under section 513(i) of the Federal Food, Drug, and Cosmetic Act (the FD&C Act), determinations of substantial equivalence will rely on whether the information submitted, including appropriate clinical or scientific data, demonstrate that the new or modified device is as safe and effective as the legally marketed predicate device and does not raise different U.S. Department of Health and Human Services questions of safety and effectiveness in comparison to the predicate device. Food and Drug Administration Center In determining for Devices whether and your new, Radiological changed, or Health modified infusion pump is substantially equivalent, FDA recommends that you submit your information through a framework known as a safety assurance case. 6 Office of Device Evaluation Division of Anesthesiology, General Hospital, The safety assurance case (or safety case) consists of a structured argument, supported by a body of valid scientific Respiratory, evidence Infection that provides Control, an organized and case that the infusion pump adequately addresses hazards associated with its Dental intended Devices use within its environment of use. The argument should be commensurate General Hospital with the potential Devices risk Branch posed by the infusion pump, the complexity of the infusion pump, and the familiarity with the identified risks and mitigation measures. ABSTRACT Assessing the safety of complex safety- or mission-critical systems under ever tightening time constraints with any degree of confidence is a growing challenge for industry and regulators alike. One method of helping to address this situation is through the use of assurance cases. Challenges abound here as well; too little or too much abstraction or poorly constructed arguments can affect confidence that a system will perform as intended. The automatic generation of a (safety) assurance case not only can expedite a development process but also leverage the ability to perform compliance checking. In this paper, we propose a novel framework which weaves a safety case pattern, guidance metamodel, and a development process metamodel together to generate a safety assurance case, which facilitates checking the conformance of the system to the guidance. As a case study, we use the GPCA infusion pump project as a subject to illustrate how this framework can aid in compliance checking using the infusion pump guidance published by FDA as a reference oracle. Keywords Compliance checking; model transformation; safety-critical systems; safety case. 1. INTRODUCTION Assessing the safety of complex safety- and mission-critical systems, such as medical devices, under ever tightening time constraints with an acceptable level of confidence is a growing challenge for industry and regulators alike. One method of helping to address this is through the use of safety assurance cases (or safety case in short) [1]. For instance, the U.S. Food and Drug Administration (FDA) recently released an infusion pump a guidance document on the total product lifecycle for infusion pumps [2], which recommends infusion pump manufacturers to use safety assurance case ( safety case ) as a structured means to organize and present to FDA the information supporting the safety claims of their infusion pump devices. In this paper, we take the infusion pump guidance as an example to discuss how to automatically construct a safety case in safety critical domains. The construction and review of a safety case for an infusion pump system are a daunting task for various stakeholders such as Copyright retained by the authors. manufacturers and FDA regulators due to the following reasons. Firstly, the guidance provides general requirements on what types of safety properties that a safety case should argue about and what kind of evidence it should collect from development artifacts. But, it leaves it up to device manufacturers to decide the ways of constructing a safety case in terms of using the collected evidence to support the specific safety claims articulated for their devices. This however creates a gap between the guidance s requirements and the device development process for the device that needs the manufacturers to properly bridge when constructing their safety cases. This gap also makes it challenging for regulators to review the safety cases, because they need to first understand how guidance requirements are mapped to the safety claims in the safety cases and then evaluate the trustworthiness and qualification of the collected evidence in supporting these claims. Exacerbating the problem is the poor quality of evidence and arguments assembled in the safety cases: many safety cases suffer from the structural problems, such as too little or too much abstraction and poorly constructed arguments. Secondly, like many other guidance documents or standards across the safety critical industries, the guidance intends to be generic to ensure its applicability to as many infusion pump devices as possible. Consequently, it creates a space for different stakeholders, such as suppliers, clients, and certifiers, to come up with different understanding/interpretation of the guidance s requirements. For example, the guidance recommends manufacturers to conduct hazard analysis to identify the risks associated with their devices and use the results to define the safety claims to be included in the safety cases. However, it leaves it up to manufacturers to decide the specific hazard analysis techniques to use and the process of using such techniques. The difference among stakeholders in interpreting the guidance creates a communication gap between them. Safety cases need to be constructed properly to help to remediate the difference, rather than making it worse. To address the above challenges, we propose a novel model-based framework, called SPIRIT, that applies the notions of safety case patterns and model weaving to support the mechanical generation and validation of safety cases. Central to SPIRIT is to utilize safety case patterns [3] to enable the mechanized and consistent generation of safety cases for the same type of systems. In this way, the cost of constructing safety cases can be reduced and the confidence of such safety cases can be improved, by reusing the safety case patterns that have been proven as successful in past practices to promote the communication among stakeholders. Beside the safety case pattern, SPIRIT requires two additional inputs: a guidance metamodel, in the format of a UML class diagram, to denote the guidance and remediate the stakeholders difference in interpreting the guidance; and a development process metamodel that defines how a manufacturer designs their infusion 5 Based on FDA s analysis of these devices, FDA expects that most changes or modifications to infusion pumps could significantly affect the safety or effectiveness of the devices and would therefore require submission of a new 510(k). See 21 CFR 807.81(a)(3). Note that a change to the intended use or technology of a 510(k)-cleared device may render the device not substantially equivalent (NSE) to a legally marketed predicate. For detailed information about substantial equivalence and 510(k) submissions, refer to the FDA guidance entitled, The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)] (http://www.fda.gov/downloads/medicaldevices/.../ucm284443.pdf). Any such device may thus be a class III device and require a premarket approval application (PMA), unless the device is reclassified under section 513 of the Federal Food, Drug, and Cosmetic Act. 6 For more information about assurance case reports, see, for example: Graydon, P., J. Knight, and E. Strunk, Assurance Based Development of Critical Systems, Proc. of 37 th Annual International Conference on Dependable Systems and Networks, Edinburgh, U.K., 2007; Kelly, T., Arguing Safety A Systematic Approach to Managing Safety Cases, Ph.D. Dissertation, University of York, U.K., 1998; Kelly, T., Reviewing Assurance Arguments - A Step-by-Step Approach, Proc. of Workshop on Assurance Cases for Security - The Metrics Challenge, Dependable Systems and Networks, July 2007; Kelly, Tim, and J. McDermid, Safety Case Patterns Reusing Successful Arguments, Proc. of IEE Colloquium on Understanding Patterns and Their Application to System Engineering, London, Apr. 1998; Weinstock, Charles B. and Goodenough, John B., Towards an Assurance Case Practice for Medical Devices, Carnegie Mellon Software Engineering Institute, October 2009; Hawkins, Richard, et. al., A New Approach to Creating Clear Safety Arguments, Safety-critical Systems Symposium, Southampton, UK, February 2011; UK Ministry of Defence, Defence Standard 00-56, Safety Management Requirements for Defence Systems Part 1 and Part 2, June 2007. Figure 9 Safety case model of GPCA system 9

NASA System Safety Framework (cont.) Assuring Safety Ensuring Safety 21

ad/2017-03-05 RFP Template: ab/15-06-01 Object Management Group ad/2017-03-05 RFP Template: ab/15-06-01 109 Highland Avenue Needham, MA 02494 USA Telephone: +1-781-444-0404 Facsimile: +1-781-444-0320 rfp@omg.org Safety and Reliability for UML Request For Proposal OMG Document: ad/2017-03-05 Letters of Intent due: 15 June 2017 Submissions due: 28 August 2017 Objective of this RFP The correct management and use of information concerning the safety and reliability of a safety-critical system is vital to that system s development costs and its eventual safety. The application of model-based approaches and tools can improve these tasks by automating manual tasks, adding clarity, and improving communication of complex ideas and concepts. This RFP looks to provide a standard profile for the OMG Unified Modeling Language TM (UML ) that works with the OMG Systems Modeling Language (SysML ) to allow the integration of safety and reliability information directly in a system model, where it can be modeled and processed directly with other system information. This RFP solicits proposals for a profile and/or optionally a model library for the Unified Modeling Language that enables the following: Capturing safety and reliability information in a system model. Reasoning on the safety and reliability information, both directly on the model and indirectly via model transformations. OMG RFP 23 June 2017 1 Visualising safety and reliability information. Exchanging safety and reliability information between a system model and external tools. Tracing between safety information, reliability information, and other information stored in a system model. For further details, see Section 6 of this document. 1 Introduction 1.1 Goals of OMG The Object Management Group (OMG) is a software consortium with an international membership of vendors, developers, and end users. Established in 1989, its mission is to help computer users solve enterprise integration problems by supplying open, vendor-neutral portability, interoperability and reusability specifications based on Model Driven Architecture (MDA). MDA defines an approach to IT system specification that separates the specification of system functionality from the specification of the implementation of that functionality on a specific technology platform, and provides a set of guidelines for structuring specifications expressed as models. OMG has published many widely-used specifications such as UML [UML], BPMN [BPMN], MOF [MOF], XMI [XMI], DDS [DDS] and CORBA [CORBA], to name but a few significant ones. 1.2 Organization of this document The remainder of this document is organized as follows: Section 2 Architectural Context. Background information on OMG s Model Driven Architecture. Section 3 Adoption Process. Background information on the OMG specification adoption process. Section 4 Instructions for Submitters. Explanation of how to make a submission to this RFP. Section 5 General Requirements on Proposals. Requirements and evaluation criteria that apply to all proposals submitted to OMG. OMG RFP 23 June 2017 2

Utilizing Appropriate Detection Methods to Collect Evidence to Gain Assurance Design Review Code Review Attack Surface Analysis Static Analysis Tool A Static Analysis Tool B Dynamic Analysis Tool C Fuzz Testing Pen Testing Blue Teaming Red Teaming

The Assurance Case for a System Builder using Assured Components

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback