Forgot your password?
typodupeerror
Government Medicine Open Source Hardware Technology

SFLC Wants To Avoid Death by Code 247

Posted by timothy
from the me-too-me-too dept.
foregather writes "The Software Freedom Law Center has released some independent research on the safety of software close to our hearts: that inside of implantable medical devices like pacemakers and insulin pumps. It turns out that nobody is minding the store at the regulatory level and patients and doctors are blocked from examining the source code keeping them alive. From the article: 'The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled. ... Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD's source code or test its security.'"
This discussion has been archived. No new comments can be posted.

SFLC Wants To Avoid Death by Code

Comments Filter:
  • by chaim79 (898507) on Thursday July 22, 2010 @08:11PM (#32998208) Homepage

    I work for a company does full life-cycle development and verification of safety-critical software, the main areas we work in are aircraft instrumentation, smart munitions, and medical equipment (including pacemakers). The amount of testing and verification that goes into these software categories often exceed the development cost, and at every level it is documented and traced. What on earth do Doctors think they will see in the source code? We do verification, peer review, tracing, etc. what would an MD find that a room full of software, system, and QA engineers wouldn't? About the only thing that they would be able to look at and have a hope in understanding is criteria for taking action, and that is in the requirements and should be reviewed at that level, not at the code level.

    Next thing they know Pilots will demand the ability to review the code for their cockpit management system and soldiers the ability to review the code for their Anti-Tank rockets!

  • How are you alive? (Score:5, Informative)

    by zooblethorpe (686757) on Thursday July 22, 2010 @09:29PM (#32998780)

    I'm not trolling or flaming at all here, I'm genuinely surprised.

    about a pint to a quart of everclear a night

    By my quick-and-dirty calculations:

    1. 1 qt = 946 ml
    2. @ 95% ABV = around 900 ml of pure alcohol (898.7 ml)
    3. 12 oz (bottle of beer) = 355 ml
    4. @ 5% ABV = around 18 ml of pure alcohol (17.744 ml)
    5. 1 qt everclear = 50 12-oz bottles of beer
    6. 1 pt everclear = 25 12-oz bottles of beer

    I tend to feel rough after four or five beers. How is it you're drinking five to ten times that *a night* and still around to talk about it lucidly? I'd expect some serious delerium tremens in short order on that track...

    Curious,

  • Re:So what (Score:5, Informative)

    by paeanblack (191171) on Thursday July 22, 2010 @09:46PM (#32998882)

    Hardware that is literally the only thing keeping you alive should be subject to some regulation. I don't think code-reviews by bureaucrats is a good option, but perhaps independent third parties would be a start.

    Given that basically all such devices have been reviewed by Underwriter Laboratories or an equivalent OSHA recognized testing lab already, I don't see what needs to change.

    Despite all the flaws of the US tort system, it does provide a strong financial incentive for things like pacemakers to be designed robustly. And yes, the code also gets reviewed.

    It may surprise people, but the system being proposed is already in place and it works pretty well.

  • by Anonymous Coward on Thursday July 22, 2010 @10:04PM (#32999000)

    But thanks for the amateur psychoanalyzing, it was very humorous.

    Yeah, I guess a real psychoanalyst requires someone who...

    ...is a convicted burglar [slashdot.org] for multiple counts of grand larceny:

    I was a thief when I was teen-ager. Not a grab and run, bust a glass thief either. I was a break in, and steal everything you had in the house, and bust your safe if you had one.

    ...is a major douchebag [slashdot.org]:

    Eh, I got banned from the WoW forums on one account for calling the mods fucktard asshats who...well, you get the idea.

    ...is a douchebag AND a troll [slashdot.org]:

    Whoever modded the above post troll is a fucking idiot whose mother is a cocksucking whore on a Glasgow street corner. If you fail to recognize a legitimate question, maybe you need to get the dick out of your mouth and the dildo from your ass and learn to read. That's the problem with handing moderation points to just anyone on /. Fucking morons get them too.

    ...is a white supremacist [slashdot.org]:

    Niggers are different than me and need to be looked down upon, especially if the law prevents me from killing them on sight or at least putting them back in chains and out in the fields.

    ...is an attempted killer [slashdot.org] (thankfully only attempted):

    Convicted of 1 B&E, 1 Burglary, 1 Armed robbery, 1 assault with a deadly weapon inflicting serious injury with intent to kill, Violating the federal Firearms Licensing Act, Possession of Stolen Government property, and an explosives charge for the hand grenades.

    ...believes mentally ill people should be put down [slashdot.org]:

    If someone is a diagnosed pedophile, there is only one sure fired way to make sure they never do it again, a bullet through the head, or a more humane method if that is your preference.

    ...enjoys taking out his rage by beating up pedophiles [slashdot.org] while in prison:

    We'd beat them [the pedophiles] down, the guards would beat them down, and they would not stop, could not stop more likely.

    And the very best part is, this guy is a certified counselor [slashdot.org]! And he's PAID by your very own tax money!

    I work as as a SAC II (substance abuse counselor) for pay, part-time and also am doing my internship at the same location. It's free work IMNSHO. The only reason I put up with it is because as soon as I finish my MA and get my license, I go full time with about a 95% pay raise, plus state government benefits, and will be able to do private assessments and counseling on the side for about a grand a week.

    Hire your own stonewallred today! Limited offer! *Exclusions include non-whites, democratic party members, women, and educated persons.

    I feel so inspired and humbled.

  • Re:So what (Score:5, Informative)

    by Achra (846023) on Thursday July 22, 2010 @10:09PM (#32999028) Journal

    In the case of avionics, there are rigorous design and testing standards for electronics, software, and mechanical hardware that are mandated by the FAA. Passing them is part of the certification process. This task can be handled in house or by third parties that specialize in that task. The medical industry should largely be applying the same principles.

    EXACTLY. First informed post I've read on this story. I've made a career out of working on medical devices of all levels of concern (yes, including a heart pump) and the V&V process is basically as the parent states. There is a fairly rigorous validation process which is performed on the device (over the course of months to years, depending on complexity of the product and level of concern). These things aren't exactly shuffled out the door like Microsoft shuffles out a new OS (yes, I've worked there too). There is a LOT of diligence involved in receiving 510k clearance on a new device.

  • Re:HeartHacks (Score:3, Informative)

    by demonlapin (527802) on Thursday July 22, 2010 @10:22PM (#32999110) Homepage Journal
    It needs to be a great deal more complex if you want to do something more than just be alive.

    Adaptable rates? You'll need a motion-detection routine in order to speed the heart up so that people can enjoy even the mildest exercise.

    Pacing only when needed, not when it's not? You'll need more code to identify when a beat has occurred within the correct time interval.

    How about automatic defibrillators? Those are the devices that will shock a heart back into a normal rhythm, which is far more than a regular pacemaker can do; of course, in order to do that, they have to be able to analyze an EKG in real time and get it right - and that takes code.
  • Re:So what (Score:5, Informative)

    by gurudyne (126096) on Thursday July 22, 2010 @11:38PM (#32999522)

    I've tested medical device software and I had to sign my name on forms over 5K times for just one version. This was just for the behavior and appearance of the localized GUI, not the pure functionality. Each test was recorded via video. The 90GB of video, 4GB of datasets, and the 220 pounds (100kg) of signed test forms were shipped at the end of the 6 week series.

    At the medical device customer's end, all of the tens of thousands pages of signed and initialed test forms were scanned and burned to disks. The plan to hang on to these for about a century.

    Then, the forms are updated and reviewed, new languages and OS versions added and the cycle continues. Every step is reviewed and audited. We don't want the FDA asking 10 years from now if something was tested or considered for testing without giving defensible answers.

    The folks testing the functionality of the software had close to 100K of tests for each version of device software. (Different vendor, so I am going by what the device company told me.)

    We all reported to the same defect database, so we could be aware of progress and problems.

    Long hours, fun times.

  • by silentcoder (1241496) on Friday July 23, 2010 @05:39AM (#33000978) Homepage

    There may be a locational bias here.

    I can just about handle 3 South African beers, in America I ordered by the Jug and usually 2/3 of those on a dinner date with a girl.

    Beer doesn't have a universal standard for strength and American beer is pretty much piss.

"If value corrupts then absolute value corrupts absolutely."

Working...