USE CASE: Insulin Pump Using DRAFT V2.2 Patient-Safety Risk Framework

USE CASE: Insulin Pump using DRAFT v2.2 Patient-Safety Risk Framework M

Lower risk Medium Risk Higher Risk / More Attention Purpose of software Information-only; purpose is Automated decision making (e.g., intelligent Makes recommendations to user product transparent and clear IV pump, AED) Intended user(s) Targeted user(s) are knowledgeable Makes recommendations to Provides diagnosis or treatment advice and can safely use product knowledgeable user directly to knowledgeable user Severity of injury Potential for non-life threatening Very low probability of harm Life-threatening potential adverse event Likelihood of risky Unpredictable, but risky situation Rare Common situation arising arises > 1:100K pt-yrs and < once a (<1 per 100,000 patient-years) (arises once per patient-year) year Transparency of Software output is easy to Software operates transparently and software operations understand and its “calculation” (data output is understandable by software “Black box” and data and included and algorithm) transparent expert content providers Ability to mitigate Human intermediary knowledgeable Human intermediary may be (but not harmful conditions and empowered to intervene to Closed loop (no human intervention) routinely) involved prevent harm Complexity of software Application of mature, widely Complexity of data collection and Medium complexity. Testing and its maintenance adopted technologies with “transformation” involved in producing procedures exist that reliably assess information output that is easy to output is significant. Difficult to test reliably patient-safety risk profile of product. understand by the user for all safety risks Complexity of The “build” and configuration of the The “build” and configuration of the The “build” and configuration of the implementation and software is straight-forward and does software is moderately complex, but software is complex and can introduce upgrades not materially affect the integrity of “guard rails” significantly limit types substantial changes that can induce serious the output. Safety upgrades can be of changes that might induce life- risk. Limited or no “guard rails.” accomplished easily. threatening risk. Complexity of training The complexity of the user interface and The software system output is clear and use Moderate complexity. Less than 2 hr density of data presented can cause and easy to interpret. Minimal of training required. important errors or oversights that can lead training needed. to serious risk. Formal training necessary. Use as part of more Used as a standalone product, or Almost always used as part of a larger comprehensive output is unambiguously used as part Software interacts with 1-3 other software system AND output is subject to software/hardware of larger integrated system. Certified systems with mature, well described interpretation or can be configured in system to specific hardware. Redundancy interfaces multiple ways whose mis-interpretation reduces single points of failure may induce harm. [e.g., DDI thresholds]. Network connectivity, Wired or tightly controlled wireless Unregulated spectrum, but low risk of Wireless using unregulated spectrum; standards, security spectrum compliant with standards interference proprietary interfaces Exemplar 2 – Insulin Pump Software

Description of Exemplar Embedded software in insulin pumps that control insulin infusion, both in response to in vivo glucose sensing and according to external programmatic commands. Wirelessly transmits monitoring and performance data to external receiver that uploads data to PHR or EHR. External commander module displays current situation and current pump responses and behavior.

Target users  Patients with diabetes

Implementation/configuration  Pairing with external commander device  Pairing with wireless receiver  Configure upload parameters in conjunction with wireless receiver  Customize programmatic control of embedded insulin pump with patient-specific parameters

Severity of injury  Life-threatening

Likelihood of the risky situation arising  Software defect  Unanticipated condition  Assumes QMS process Transparency of software operation, data, and knowledge content sources  Commander module displays current conditions and pump responses

Ability to mitigate harmful condition  Patient can over-ride automated program through external commander module

Complexity of software and its maintenance  At least high school education

Complexity of implementation and upgrades  Upgrades performed similar to updates of device firmware o Download software to computer o Connect external commander module o Wirelessly update firmware of insulin pump

Complexity of training and use  Requires 2 hours training

Use as part of more comprehensive software/hardware system  Must configure to communicate with PHR

Network connectivity  BT or RF wireless to external commander module  BT or RF to Internet-attached computer or smartphone