Dominique Biraud from the SPECIEF (the french requirement engineering association) kindly invited me to present some of the ideas of this blog, especially those geared towards specification, at the French Day of Requirement Engineering 2016 (JIE 2016).

JIE 2016.png — The conference took place in an awesome amphitheater inside La Sorbonne

Here’s the slideshow of what I presented this day (in French): Presentation JIE 2016 – exigences agiles meddev

Worth noting is the fact that several speakers were experimenting with agile methodologies inside their organizations specialized in large systems design (such as turbojet engines or trucks). The driving force is always the same: the software guys went agile and there’s no turning back; the others are wondering what good they can take from these methodologies and how they can adapt to the new situation. Since software is always an important part in systems, this debate will spread and become ubiquitous.

I heard there of a promising attempt to merge agile methodologies and system design: SAFe LSE (Scaled Agile Framework for Lean System Engineering). SAFe is one method for scaling agile practices (others include LeSS and Nexus).

I couldn’t agree more with SAFe LSE manifesto:

The Original SAFe for Lean Systems Engineering Manifesto

Lean systems engineering is a discipline whereby empowered systems developers work in cross-functional teams building systems that benefit customers and users. Fed by constant customer collaboration, led by lean thinking manager-teachers, we:

Understand the economics of the value chain
Develop systems iteratively and incrementally
Integrate frequently; adapt immediately
Manage risk, efficacy and predictability with model- and set-based engineering
Embrace agile development values and practices
Decentralize decision-making, synchronize via cross-domain collaboration and planning
Limit work in process. Reduce batch sizes. Manage queue lengths.
Base milestones on objective evaluation of working systems

We commit to building better systems and to continuously improving and disseminating our methods and practices

Has someone used it in the trenches?

I bet someday this framework (or a similar one) will take over as leading methodology for system design. Definitely a growing field to monitor.

I attended the BIOMEDevice conference on the 13th and 14th of April 2016. The conference was packed with suppliers of the medical device space, especially from Massuchussetts. Two conferences have especially rung a bell in my head, and I thought I might just drop my notes here so that everybody can get a feel of what was said:

Patient Privacy & Data Security in the Cloud Communication Age
Winning Over the Hospital Value Analysis Committees

BIOMEDevice 2016 conference hall

Patient Privacy & Data Security in the Cloud Communication Age

Our technology is advancing faster than we can protect it. How can we keep up with the cloud communication age and build sustainable data protection?
Understanding FDA’s evolving guidelines and standards to address cyber security
How is HIPAA playing an increasingly pervasive role in health data management?
Cloud-enabled utilities and solutions – what are the pros, cons, and security risks of storing data in the cloud?
Advances in safely transmitting data across various healthcare applications and protecting data from cyber attacks

Michael McNeil, Global Product & Security Services Officer, PHILIPS HEALTHCARE

Phillips has a HealthSuite IoT architecture based on AWS (EC2, S3, Glacier, Lambda, SNS)

http://www.usa.philips.com/healthcare/innovation/about-health-suite

They have a way to make sure data is not leaving a country’s borders where it’s forbidden.

Industry challenges:

Patient safety (ethical hackers have demonstrated threats)
Data integrity and availability – required by care
Legal and regulatory obligations
Protecting intellectual property – especially when expanding into emerging markets

Best practices:

Design security at every stage of development
Take advantage of well-known techniques (encryption, salting, rate limiting)
Train employees
Integrate security by design. Security built into the development process.
External security testing and assessment.

Medical device challenges:

Portable and mobile devices (storage medium encryption, hard to remove without tools)
Access to device and settings
Firewall controls
Malware controls (whitelist solutions take away the need for daily updates)

Avoid 3 deadly sins of medical device vulnerabilities

Uncontrolled distribution of passwords (fixed, default, hard-coded)
Failure to provide timely security software updates and patch management
Security vulnerability in off-the-shelf software designed to prevent unauthorized device or network access

The FDA has clearly stated that you don’t have to the entire re-submission process to address security updates (validation responsibility still applies though)

Establish a policy for providers and SOUPs (embed checkpoints in vendor selection, update the procurement process, establish monitoring criteria [frequency of scan and pen testing…]

Define a responsible disclosure of incidents process (they will happen!)

Conclusion:

Continuous threat monitoring of the healthcare landscape is critical
Transparency, accountability and responsiveness must be ongoing features
Wider dialogue between medical device makers, hospitals, regulators and security professionals will advance innovation in security in the healthcare industry

Winning Over the Hospital Value Analysis Committees

Overview of the changing marketplace and how to position your product in this tight economic environment
USA vs. Europe – what are the hospitals looking for?
Important questions you should be able to answer
Looking at devices and assessing value – from a physician standpoint
Discussing value added services in products
Understanding the necessity of usability and how it can determine widespread adoption

Moderator:
David J. Dykeman, Attorney, GREENBERG TRAURIG, LLP

Panelists:
Eric T. Pierce, MD, PhD, Physician Director of Anesthesia Bioengineering, Supply & Technical Support, Department of Anesthesia, Critical Care & Pain Medicine, MASSACHUSETTS GENERAL HOSPITAL
Michael Fraai, Executive Director- Biomedical Engineering & Device Integration, BRIGHAM AND WOMEN’S HOSPITAL
David J. Berkowitz, Vice President, Healthcare Insights and Analytics, ECRI INSTITUTE

Value Analysis Committees are now gatekeepers to inserting a technology into hospitals. Decisions are more and more based on financial factors, clinical benefits are not the paramount factor anymore.

Considerations they have

What do they do with former product if there is a replacement?
Cost – upfront and maintenance. TCO is king.
Clinical outcome – of backed by solid evidence.

Eric T Pierce, MD, PHD: how we select devices

Eric is involved in product selection for the Massachusetts General Hospital – especially for anesthesia

The selection process is always changing.

Value in Medical devices = Quality (outcome, safety, clinician satisfaction) / TCO

Traditionally, physicians were big drivers of device selection. They become less and less important.

When a product might be controversial, limited trials are set up.

For complex and expensive products, the process is the following:

An ad-hoc evaluation group is formed (physician director, bioengineers, clinician advocates, division leaders, frequent users)
Review all viable product options
Apply selection criteria (TCO, compatibility & continuity, ease of operation, serviceability, product support)
Narrow choice of 2 or 3 products
Focused trial of top choices in-service
Comparative financial analysis, purchasing folks negotiate
Review, recommendation, decision

The whole process takes weeks or month

Ease of operation criteria (very important):

Intuitive design
Simple interface
Clean-ability (they recently had a device which screen was damaged to cleaning solutions)
Battery life
Boot up time (because of emergencies). They time boot-up time.
Portability (big issue for them: portable devices get stolen)
Mounts

Winning over the value analysis committee – David J. Berkowitz, Vice President, Healthcare Insights and Analytics, ECRI INSTITUTE

We are moving from a volume-based healthcare system to a value-based healthcare system

The absence of evidence (as far as clinical benefits are concerned) is a showstopper

Michael Fraai, Executive Director- Biomedical Engineering & Device Integration, BRIGHAM AND WOMEN’S HOSPITAL

Network security is huge topic before devices are authorized into a hospital’s network.

They don’t buy a quote. They buy a solution to deliver safe & efficient care.

There is an awareness of real cost.

Factors in the TCO: purchase cost, backfill cost, training cost, device integration, software cost, warranty cost, implementation cost, parts, accessories.

It becomes more and more costly to integrate products into EHRs.

Panel discussion

Mistakes companies and salespeople make:

Adding too many features
Eliminating features that users do like
Not doing enough outcome research
Not understanding the user’s work environment (screens too smalls or difficult to read). Send your designers to the environment where the device will be used.
Introducing too many variable or deals
Not supporting intra-operability (ICE standards)
Not being the clients’ time and objectives
Not being environmentally responsible

There is an EPP (Environmentally Preferable Purchase) movement happening in the supply chain space

Advice for manufacturers:

How do you reduce downtime?
Think about helping institutions to compute the TCO
Analyze error logs and fix errors. Provide backup capabilities.
Have a real value dossier with all the stuff discussed above ready for the value committee.

Agile Med Dev

Reflections on agile software design for medical devices

Conferences

JIE 2016 & agile system engineering

Highligts from BIOMEDevice Boston 2016 conference