In September, Nova Leah Cofounder, Fergal McCaffery, was appointed the first Professor of Computer Science at Dundalk Institute of Technology and won the Lero President’s Award for Innovation and Entrepreneurship. Fergal is internationally recognised for his contributions to medical device software engineering. His research team has led the development of four International Standards/Technical reports for the global medical device software community.
We recently sat down with Fergal to discuss his research and future trends in the industry. We started by asking about his appointment as DkIT’s first Professor of Computer Science and if he’d had a chance to reflect upon its significance.
It’s quite a significant landmark, not just for myself but for the college. When I started researching the area of medical device software, it was very much me, myself and I! No one else was looking at this area. I remember when I applied for the Science Foundation Ireland (SFI) Principal Investigator Funding, no one at Dundalk Institute of Technology had previously received SFI principal investigator funding so it was deemed very unlikely that my application would be successful. But against the odds we got the funding. That was a very significant landmark for my research and for that of the Regulated Software Research Centre, which was initiated as a result of this funding.
Over the past number of years, the whole domain has evolved hugely. We have gone from one person to a large team of over thirty members and have been successful in attracting significant funding to the area of medical device software engineering. When I was informed about the appointment, I was truly honoured. I think the appointment of DkIT’s first Professor of Computer Science is an acknowledgement of the significance of the medical device software discipline, to both the region and the country.
In your research you initiated the idea of bringing software engineering best practices into the domain of medical device software, could you tell us a little about this approach?
When I started looking at medical device software, few thought it would grow to the point it’s at today. Within Ireland at the time there were a lot of companies developing medical devices, but it was mainly from a manufacturing or hardware perspective. At that point, we could see how the software in these devices was undoubtedly going to take on a bigger role. Some of this software was used in expert systems to assist with diagnosis and in continuous patient monitoring. To my mind, such systems fulfilled the definition of a medical device.
Then in 2012, this all changed with an amendment to the medical device regulations. The new regulation outlined how software could be classified as a medical device in its own right. At that point, there had been organisations that were developing software which wouldn’t have traditionally fallen under the medical device category. However, as such solutions could be used in the diagnosis, alleviation or monitoring of illness, they were now considered medical devices.
This development presented a great opportunity for my team and I to start working with the international medical device standards community. Up until then, when developing standards for medical devices, the main inputs came from those with knowledge of hardware or electronics. Software development best practices weren’t typically considered. The change in regulation allowed my team to investigate how software engineering best practices could be incorporated into medical device standards.
We first got involved in working with the IEC 62304 working group, which is essentially the bible for developing medical device software. We then led the development of an international technical report (IEC 80002-3) demonstrating how software engineering best practices could be brought into medical device lifecycle development. This was a big game changer for my team as it helped to position us as thought leaders in this area.
What are the biggest challenges faced by medical device software organisations that differ to those faced by generic software organisations?
The biggest challenge is the regulatory landscape. If you cannot comply with the regulations, your product is going nowhere, it’s as simple as that.
From a safety perspective, medical devices are in a different playing field. If a typical software component fails, chances are there are no major safety repercussions. However, if your medical device software fails, it could be a matter of life and death. Also, from a security perspective, if your software doesn’t meet with security regulations and there is a breach, the implications upon your company’s reputation could be huge. Second chances can be hard to come by when it comes to jeopardising patient safety or hospital network security.
It’s important to note that the security is an ongoing exercise from cradle to grave. This means that medical device manufacturers’ reputations are always at stake. It is not only about getting a product to market safely and you’re done. It is about ensuring safety and security throughout the entire lifetime of the product.
What do you see as the key trends impacting the medical device industry?
In the past number of years, a lot of the most significant innovations within the industry have been software related. This meant that one of the big trends was increasing regulations around software. Initially, most of those regulations and concerns were around software safety. Many companies have now put in place strict processes around safety, based on international standards and as a result there have been huge improvements.
The biggest development at the minute is the increased emphasis on security of connected medical devices. The medical device industry is still coming to terms with cybersecurity to some extent. In the US there is a lot more awareness of cybersecurity challenges and companies are now starting to adopt cybersecurity best practices. European organisations are currently behind American companies in this regard. However, the next big wave in the medical device industry will be related to security and ensuring that best practices for security controls and reporting breaches are being adhered to.
What is your advice for medical device manufacturers, as they adjust to this change and prepare a security strategy?
The biggest thing for organisations within the medical sector or even the health and wellbeing sector is to be aware of what they need to do in terms of security. And that’s not only what they need to do right now but what these medical device standards and guidance reports are saying about the future landscape.
Once organisations have a feel for the future landscape, they can decipher what they can start to do today that will help them down the line. If they start to implement security practices within their development cycles today, it’s going to make life a whole lot easier further down the road. The last thing you want to do is to have to retrofit security processes into your software development cycle.
What are the key innovations in the medical device industry that you are most excited about?
Something I’m very excited about is the amount of data that is being collected by these medical devices. There are vast amounts of data being stored in the cloud that hasn’t been analysed in detail yet.
We actually don’t even know what can be learnt from this data. But the fact that the potential is there, is very exciting. As cloud providers, such as Micosoft Azure and AWS, provide increasingly sophisticated AI and machine learning functionalities to interpret such data, the possibilities are endless.
SelectEvidence is a cybersecurity risk assessment platform aimed at organisations within the medical device industry. However, looking to the future, what other applications are there for the technology?
Everything we apply to the medical device industry, including the work done in the research centre, is applicable to different safety critical industries. As a company that spun out of PhD research, it was important for us to focus on a niche area. That niche for us was the medical device industry. It was what we deeply understood and grew up in professionally. But that doesn’t mean we have to stay solely within the confines of that industry.
Beyond the medical industry, the natural progression for us is the automotive domain. This is an industry that is going through a lot of change with huge innovations around autonomous vehicles. Driverless cars are going to be mainstream soon, it’s just a matter of when. A lot of it comes down to security and trust. Are you going to trust the safety of a driverless car? Are you going to trust an autonomous vehicle to drive your kids to school? What happens if one car fails? What are the implications?
There are huge parallels between this and the medical device field. The ethical questions are quite similar and the need for high levels of regulatory compliance is also vitally important. This is just one example, but the way in which SelectEvidence is built, it can be easily transferred to other industries that are safety critical. Technology is bringing huge advancements across so many industries. Fascinating times ahead!