Forgot your password?
typodupeerror
Government Medicine Open Source Hardware Technology

SFLC Wants To Avoid Death by Code 247

Posted by timothy
from the me-too-me-too dept.
foregather writes "The Software Freedom Law Center has released some independent research on the safety of software close to our hearts: that inside of implantable medical devices like pacemakers and insulin pumps. It turns out that nobody is minding the store at the regulatory level and patients and doctors are blocked from examining the source code keeping them alive. From the article: 'The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled. ... Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD's source code or test its security.'"
This discussion has been archived. No new comments can be posted.

SFLC Wants To Avoid Death by Code

Comments Filter:
  • Re:Why? (Score:4, Interesting)

    by julesh (229690) on Thursday July 22, 2010 @07:15PM (#32998250)

    The devices themselves are rigorously tested in clinical trials. If they pass those tests, what more do you want?

    Software errors can (and in fact are most likely to) result in pathological behaviour in unusual circumstances. Example. [wikipedia.org] "The failure only occurred when a particular nonstandard sequence of keystrokes was entered on the VT-100 terminal which controlled the PDP-11 computer: an "X" to (erroneously) select 25MV photon mode followed by "cursor up", "E" to (correctly) select 25 MeV Electron mode, then "Enter", all within eight seconds. This sequence of keystrokes was improbable, and so the problem did not occur very often [i.e. not in any clinical trials] and went unnoticed for a long time." An independent source-code audit could have saved three lives in that case.

  • Re:So what (Score:5, Interesting)

    by wiredlogic (135348) on Thursday July 22, 2010 @07:44PM (#32998508)

    In the case of avionics, there are rigorous design and testing standards for electronics, software, and mechanical hardware that are mandated by the FAA. Passing them is part of the certification process. This task can be handled in house or by third parties that specialize in that task. The medical industry should largely be applying the same principles.

  • Not just government (Score:3, Interesting)

    by weston (16146) <westonsd @ c a n n c entral.org> on Thursday July 22, 2010 @07:54PM (#32998580) Homepage

    Does a government agency examine...

    How about the other entities mentioned in the summary (let alone TFA) -- patients and, more importantly, *doctors*? If not them -- who should review them?

    After all, nothing can possibly be safe until it is certified as such by the government. Just ask hundreds of thousands of people who died while the drugs that could have saved them were waiting for the FDA approval. They are pretty safe now.

    FDA approval works roughly about as well as "self-regulation" works, since the FDA more or less reviews studies provided by the industry.

    Though it's worth noting this is probably at the upper bound of effectiveness of self-regulation, since under the FDA they're actually required to submit something that can convincingly pass for a study in order to receive approval.

  • by htdrifter (1392761) on Thursday July 22, 2010 @09:09PM (#32999030)

    The FDA requirements on software are strict. There are requirements for coding practices, testing, QA, etc. Inspectors show up, without notice, to check for compliance.
    The code reviews are very thorough and require a manager and at least two other programmers.
    All code has to be instrumented and scripts written to force execution of all code.
    The output traces from instrumentation have to be fully documented. Everything that happens is documented.

    They require the source code with all changes documented, test scripts, fully documented code intstrumentation output, full QA test documentation, etc. All these things must be signed by the programmer, reviewers and managers.

    All this goes to the FDA along with a system for testing. They review the code, test the system and call with questions.
    The FDA is interested in suggestions on improvements to the process.

    That process adds a lot to the development time and cost for a project.
    It can't guarantee perfection but they take a very good shot at it.

  • by Joe The Dragon (967727) on Thursday July 22, 2010 @09:11PM (#32999040)

    NEVADA GAMING COMMISSION has the code to slots games so why can't the FDA get the code to med systems?

  • by TapeCutter (624760) * on Friday July 23, 2010 @01:54AM (#33000262) Journal
    Reproduced below are the statistics printed on my pack of smokes...

    Causes of death in Australia.
    Tabacoo - 19,019
    Alcohol - 2,831
    Motor vehicle accidents - 1,731
    Illegal drugs - 863
    Murders - 203

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...