Software development and risk management in the safety critical medical device domain

University dissertation from Department of Computer Science, Lund University

Abstract: The healthcare sector is one of the fastest growing economic sectors of today. The medical
device domain is one part of that sector. An increasing part of functionality in medical devices
and systems is implemented in software and many features should not be possible to
implement without software.
The use of medical software is an inherent risk to the patient and the outcome of a failure can
vary from death to almost no effect at all. Risks and risk management is closely connected to
medical device domain and it is crucial to all medical device companies to have a good risk
management process. It is also stated in law that the companies developing medical devices
must have a risk management process.
One part of the research in this thesis focuses on the current state of practice in the medical
device domain. As a result of this research, the need for high quality software in this domain
has been identified and also the needs for new techniques, methods and processes to further
improve software quality in the medical device domain. The results have been used to derive a
set of requirements on new processes, methods and techniques in the area, to be used by
researchers as a guide in the development of more adapted processes, methods and techniques
for software development in the medical devices domain.
The other part of the research in this thesis focuses on risk and is based on two experiments.
A number of decisions regarding risks are taken during software project risk management and
it is the people involved that make the decisions. Different people’s opinions about the
importance of identified risks are investigated in an experiment and it is concluded that
different participants have different opinions about how serious risks are concerning faults
remaining after testing are. Probably it is possible to generalise this and conclude that in the
software engineering process different people are more or less risk seeking.
From the second experiment it could be concluded that multiple roles and thereby different
experiences will affect the risk identification process. Involving multiple roles will result in a
more complete set of identified risks than if only one role is included.