Software risk management: an exploration of software life cycle methodologies, best practices and tools for their application to medical device software risk management

Medical devices today rely extensively on software for a wide variety of functions. Device manufacturers must be equipped with software-focused risk management approaches, because software integration brings unique challenges in safety-critical medical applications. This study explores various approaches to foster the development of a software risk management (SRM) model throughout the software lifecycle (SLC). A combination of interviews and other exploratory methods including the inspection of documents and other artifacts were carried out to characterize activities in three areas: software development methodologies; risk management best practices throughout SLC, and software development and lifecycle management tools. The research identified that the two most common software development methodologies used in the medical device industry today are the traditional Waterfall and the more recent Agile method, whose customizations are discussed. Best practices identified as important for risk activities included the use of IEC-62304 standard for risk-based software development, Human Factors Engineering (HFE) methods, assurance cases and FMEA tool. With this knowledge, a SRM framework was developed in which certain risk management practices were implemented into the modified Agile/Scrum software development methodology. Then, tools for software development such as requirements, configuration, build, test and defect management, and those for Application Lifecycle Management (ALM), were explored to suggest ways in which to automate the SRM framework.