Monthly Archives: April 2016

team lead

The Field Safety Notice

A field safety notice (FSN) is something that health care authorities issue when medicines or medical devices are found to be dangerous.

In the medical device field this is relevant to software development as FDA statistics show that the majority of product recalls are due to defects introduced by software updates after the initial approval.

The FDA, for its part and in spite of having many dedicated employees, has been captured. The 501(k) equivalence route to approval is often the passage-of-choice for well-connected US firms to release sub-standard equipment, typically manufactured overseas, onto the domestic market. Avoiding as it does the more exacting and costly QA of a new device.

One might question how the FDA can consider an entirely new computer control system to be “equivalent” to a device that has no software. But you’d have to ask them that. Get your name on the no-fly list for it.

Sub-Standard Developers = Sub-Standard Software

The kind of software developers that device manufactures hire also leaves a lot to be desired. They tend to rely on externals, mostly unvetted, who are hired on short-term contracts and have no stake in the future of the product. They are typically hired not for their software development experience, but for how they seem on paper.

If the FDA sees “Agile Certified” this is enough for them. “Has one year prior experience as a web developer“, doesn’t sound so good does it? Not exactly a recipe for success. The FDA sees “staff training giving” on the record, unaware that the training course was in the form of a document written in Chinese emailed to developers who only speak Hindi.

Then they put these guys onto writing safety-critical machine control software. Congratulations! You passed your driving test. Now you can come and drive for our Formula One team.

Crashes, Recalls and Safety Warnings

Are what you get. For example, you’ve hired a used-car salesman to lead your Agile team on the basis of his Agile certificates. He then decides that the best way for the software to meet the customer’s performance targets is to ditch the safety checks. But he doesn’t put that on the record because he knows it is unacceptable, and you trust him. These safety features have been a requirement from day one, and they’ve already been tested. So who is to know if he takes them out of the code now?

Naturally he fails to meet the performance targets anyway, leaving you to renegotiate your customer’s expectations and hand over an instrument that is, unknown to you, fatally flawed.

Six months later the health authorities are on to you. You have to get it fixed, now. Even though those safety checks have been a key functional requirement of yours for the last four years. You have to send a warning notice to all of your customers that they have to pin up next to your beautiful leadership-saving hardware: “WARNING: This machine is dangerous and might kill the patients. Use at peril!“. Or words to that effect.

Then you have to tell hospitals and health care laboratories that everything they’ve done with your machine, all the results it has produced, all the money it saved them and what not, is potentially invalid and they should use their own procedures to figure out what to do about it.

discuss your concerns with your laboratory director to determine what to do

That’s great. Means nobody knows if any of the previous results are valid or not. Swell. Wunderbar, as they say in Germany. Wether or not that has lead directly to the deaths of any patients will be hard to establish, what with there being no record of what the instrument was actually doing and all.

But the dude who got you into this mess doesn’t care. He’s got your money already and it’s not like you can sue him is it? It was you that hired him, after all. You signed-off on his dangerous cost-cutting short-cuts.

The liability is with the manufacturer of medical devices, not the schmuck unqualified contractors they hired to hack together buggy code for them. Submitting false documents for regulatory approval is considered a very serious offence. Writing buggy-code is something anybody can do.

Are You A Patient?

Our tip for patients: Ask your physician which instrument was used in the diagnosis. Then google seach for the name of the instrument and the terms “RECALL” and/or “FSN”. Then you will have the information you really need to decide if a second opinion, based on a manual laboratory test, is in your best interests.

Class-action suits may be more effective in the long term.

To date, we have received no customer complaints or reports of patient injury due to this issue.”

Well that’s lucky for them then, isn’t it. Not that the patients will ever know the nature of some of the people whose hands their health is in.

Primum Non Nocere

First do no harm, is a phrase that holds no meaning for Agile developers. If you don’t believe us, ask one. For them, it is enough simply not to be ‘evil’. Whatever that means.

Links
Health-Care Ethics