The Medical Device industry is currently one of the fastest growing industries in the world and a guarantee of the integrity of medical device software has become increasingly important. Failure of the software can have potentially catastrophic effects, leading to injury of patients or even death. Consequently there is a tremendous onus on medical device manufacturers to demonstrate that sufficient attention is devoted to the area of software risk management throughout the software lifecycle. Failure to do so can lead to a lack of approval from the various regulatory bodies with a consequent surrender of the right to market the device in a particular country.
Several different standards, guidance papers and industry guides exist which make it difficult to guarantee conformance in all cases. This diverse set of requirements can make software risk management difficult and this thesis examines the possibility of a unified approach whilst investigating the relevance of the Capability Maturity Model Integration (CMMI®) SPI model to the regulatory requirements. It is demonstrated that existing SPI models are not comprehensive enough to satisfy medical device safety requirements and an alternative is proposed.
The research presented in this thesis develops a software Risk Management Capability Model (RMCM) for the medical device sector, which meets medical device regulatory requirements and the CMMI® Software Process Improvement (SPI) risk management practices. The RMCM has been evaluated within a medical device company producing medical device software.
During the creation of the model a mapping has been performed between medical device regulations and the CMMI® guidelines for software risk management. The research identifies the potential strengths and weaknesses of the CMMI® risk management process area in the specific context of medical device software. The research also identifies weaknesses of current medical device software regulations, through the analysis of the CMMI® SPI model.