Software: The Brains Behind the Medical Device

Bob Michaels
As medical devices become increasingly connected and complex, software designers must address new control, user-interface, and security concerns

Behind many a great medical device stands a great piece of software. And that software platform is often as crucial to patient welfare as the device itself.

Designed to perform a range of tasks, software enables medical devices to interact with the body and perform a host of functions, from monitoring heart rate and measuring blood flow to controlling electrical pulses and dispensing medications. But in an increasingly interconnected world, designers of medical device software are facing heightened challenges associated with control, data integrity, data consistency, user interfaces, and security.

Medical Device Control Freaks
Many medical devices, especially electronic implants, are almost by definition critical or life-critical products, remarks Grant Courville, director, product management, at QNX Software Systems (Ottawa, ON, Canada). But to ensure patient welfare, software must enable devices to run consistently, reliably, and safely.

QNX Software
Based on the Neutrino RTOS and featuring a user interface based on the Qt application framework, QNX Software Systems’ medical proof-of-concept can aggregate and display data from a blood pressure monitor, spirometer, pulse oximeter, ECG, or insulin pump.

Serving the medical device industry, QNX is primarily focused on providing software for therapeutic, diagnostic, and medical imaging devices. Its primary software product is the QNX operating system, a software microkernel that is adaptable across a range of medical and nonmedical applications. The software builds out from there, incorporating file systems, networking, USB, Bluetooth, and wireless connectivity.

QNX software, according to Courville, provides a high-availability control framework that allows the medical device OEM to monitor critical subsystems within the device. For example, if the high-availability manager detects that a device is not functioning normally, it can capture all of the state information for subsequent debugging, and it can also deploy a recovery mechanism determined by the system designer. “Depending on the scenario, control functions can range from restarting an individual process to transferring control to a standby system to returning the system to a safe state,” Courville explains. “Because of the software’s modular, microkernel architecture, the high-availability manager can also implement fine-grained control, such as restarting an individual device driver and reestablishing connections between the driver and its client applications, while allowing the rest of the system to continue functioning.”

The software also provides adaptive partitioning, a flexible form of CPU time partitioning that allows system designers to specify a CPU budget for each major software subsystem. Given the growing complexity of medical devices, which now must support graphical human interfaces, data storage, wireless networking, and other capabilities, this partitioning can be invaluable, Courville says. Among other things, it helps ensure that time-critical processes always have a sufficient CPU budget. It can also ensure that the system design has sufficient idle CPU time to accommodate future expansion.

Besides performing monitoring and control functions, a software platform should ensure the consistency of the data it handles. QNX’s memory-protected architecture ensures the consistency of both in-memory data and data in persistent storage, such as hard drives or flash, by allowing only authorized processes to have access to stored files. Because QNX is a microkernel operating system, even drivers, networking stacks, and file systems run as processes in their own separate memory spaces, Courville remarks. In conventional operating systems, however, these processes run in the operating system kernel.

“People often forget when speaking of real-time operating systems that they mean not only performance and speed but also data consistency,” Courville remarks. “In other words, when a sensor sends data and then communicates them to the operator interface, each and every time the system must guarantee that those data are not corrupted. Thus, you want to be able to do something quickly, efficiently, and accurately, and you want to be able to do it 100% of the time.”

Interfacing with the User
While data transfer and control functions are crucial aspects of medical device software platforms, software systems often perform a variety of other tasks. Foremost among them is providing a user-friendly interface. However, while optimizing user interfaces is a primary goal of software designers, achieving a design that promotes safety, ease of use, and proper use is particularly challenging, remarks Chris Atkinson, vice president, engineering at Software Engineering Professionals (SEP; Carmel, IN), a provider of software for use in infusion pumps, laboratory equipment, blood analyzers, and diabetes-related applications.

“At SEP we have implemented practices to develop and test user-interface designs early,” Atkinson notes. “Not only is this important for reducing user errors, but the expectations for product usability have also really increased in the last few years.” This situation, Atkinson adds, is especially true for devices that offer limited screen space.

In general, the user-interface design is paramount for products targeted at consumers, such as home-use devices and mHealth applications. In the smartphone arena, for example, improving the user-interface experience is especially important, according to Atkinson. Because smartphone consumers demand software that is easy to use, it is incumbent upon developers to implement improved user-interface designs and incorporate the user-interface part of the software into the entire software platform. “This process can get complex quickly,” Atkinson says, “because the design concept sometimes doesn’t work as well as expected when it is implemented and taken for a test drive.” In response, software designers could be compelled to change what was just implemented, presenting additional challenges.

It is helpful for software developers to foresee design problems before implementing a software platform, Atkinson comments. By fully understanding a software concept, the designer can make the mental leap of knowing how it will work for a user once it is implemented. “This method is difficult,” Atkinson adds, “but having some knowledge and experience with user-interface design can definitely be an asset for developers when working with the design team, improving the product-development effort.”

Making Secure Connections
The demand from medical device OEMs for increasing complexity and improved communications capabilities are bringing software safety and security issues to the fore, remarks Ludovic Labat, manager, medical devices at Invetech (San Diego). Providing a software development portfolio that includes embedded software and firmware for patient-connected drug-delivery devices, the company’s software also helps medical devices to perform a range of core and secondary functions. Core functions can include fluid control, electromechanical control, and sensor and data analysis, while secondary functions can include high-level applications, power management, and user-interface functions.

“The general trends we see for developing software for medical devices are more wireless connectivity, more remote access, less power consumption, and smaller devices. But these advances result in more technical complexity and, consequently, more safety concerns requiring more scrutiny.” One approach for achieving medical device security, according to Labat, includes the use of security protocol stacks and well-known security layers between wireless devices in the form of secure sockets layers—a commonly used protocol for managing the security of message transmission on the Internet.

Atkinson concurs that increasing device connectivity and the proliferation of wireless technologies have heightened safety and security worries. For example, one of SEP’s projects involved the development of customized software for an infusion pump connected to a hospital computer network. This software was designed to handle messaging from the infusion pump to the management system and transmit information such as event logs of the pump’s operation and medication delivery status information. It also allows the pump to receive medication data and corresponding safe-delivery parameters.

“In general, there are points of vulnerability in such a configuration that start with external interfaces from the device,” Atkinson says. “For example, the device may include a USB or Ethernet port. These interfaces are necessary to provide modern capabilities, but they also open the door to the possibility of device hacking.”

When a medical device is developed, the design is analyzed for points of vulnerability, Atkinson says. This analysis is often conducted before software development activities have even started. SEP’s teams identify mitigation strategies for addressing each point of vulnerability and plan how to test a product to verify whether the proposed mitigation strategies will be effective. “There can be several ways to mitigate vulnerabilities, but often these measures are addressed in the design of the software,” Atkinson adds. “By understanding the issues up front, the software team can design the software in ways to prevent hacking. The key is to consider these issues in the early product design stages.”

Likewise, Courville from QNX notes that the ultimate goal of device designers is to connect medical devices with a host of communications devices, from nurse call stations and bedside equipment to smartphones and tablets. “However, the minute you connect a device and send information to it, you’ll also likely want to manage the device by updating some of the firmware or software. And when you get into those kinds of environments, data integrity and security become extremely important.”

To address security concerns, QNX’s operating system has been certified to Common Criteria, an industry-standard security certification. And as a subsidiary of Research in Motion (RIM)—manufacturer of the BlackBerry—QNX relies on the open, standards-based security technology provided by RIM subsidiary Certicom Corp. This technology, in turn, incorporates a host of networking security technologies, such as Secure Boot.

“Data security, as it pertains to connectivity and communications in general, is extremely important in medical device applications,” Courville states. “And it’s not only a question of access to the data, it’s also data integrity. Not only do you want to protect the data you have, you also want to make sure that they do not get corrupted.”