Integrating safety into connected medical devices


IoT가 되었건, Functional Safety가 되었건, trend는 security를 필요로 하고 있다.

의료기기가 연결되어가면서 보안이 필수적이 되어 가고 있다.

Providing justification for the safety of an unsecure connected device will be extremely difficult, as potential attacks via the network connection can directly impact the safety functions. This means that both safety and security aspects have to be rigorously considered for new designs.


공유되는 데이터나 원격 요청등에 대한 이슈가 떠오르고, 이는 당장 보안과 직결되기 때문이다.

As systems become connected, either to share data or for remote operation in “telehealth” applications, the security elements of the designs become equally as important as the safety elements.


의료기기를 위한 안전 고려사항

관련된 표준들이 어떤 것들이 있는지 정도를 식별한다.

IEC 60601 -medical electrical equipment standard

ISO 14971 – risk management

IEC 62304

For example, the IEC 60601 medical electrical equipment standard covers equipment such as EEG monitors, IV pumps, imaging systems, ECG devices, vital signs monitors, and other devices that connect directly to a patient. Devices and systems not directly connected to the patient are covered by IEC 61010, including measurement, control, and laboratory systems.

For medical devices and systems, comprehensive risk management is an integral part of ensuring patient safety. For this reason, risk management conforming to the ISO 14971 standard is generally applied which requires the identification of hazards in all device operating modes and fault scenarios. The hazard identification process needs to be systematic and thorough, and should include the electronics and software within the device or system. Analysis of identified hazards is typically done through the use of a risk matrix, which provides a mapping from expected severity of harm and probability of occurrence to the overall risk associated with the hazard. The resulting risk for each hazard is then used to determine required countermeasures, which can be design based, operational, or documentation related.

In addition, software in medical devices and systems is also regulated with two different testing approaches. IEC 60601-1 Annex H allows software to be treated as a black box component of the system, with the software functionality qualified and tested as part of the overall system. This approach is however challenging for complex software-based systems, so a different route also exists.

For devices with more complex software the IEC 62304 standard is applicable. This standard classifies software in three categories, ranging from the less critical Class A to the more critical Class C (where a failure could result in death or serious injury). The standard outlines requirements at each stage of the software development lifecycle and defines the minimum activities and tasks that need to be performed to provide confidence that the software has been developed in a way that reduces the risks from potential malfunctions caused by software errors to a tolerable level.

일반 어플리케이션으로 안전 및 보안 소프트웨어를 통합

– 소프트웨어 프로세스상에서 보안쪽이 어떻게 차이가 날지 .. 별반 차이가 없을 것으로 생각이 되는 가운데, 중요한 건 MCU와 OS수준의 feature가 아닐까 생각한다.

가상화 기술이 떠오르고 있나보군…새로운 marketing keyword인가? 말은 그럴듯하지만 어떻게 검증할 것인가가 문제일 것 같은데..

모든 경우에 대해서 가상화 관련된 프로퍼티를 만족시킴을 수학적 증명을 통해 검증되어야 할 필요가 있지 않을까 생각하는데, (Formal verification), 재밌을 것 같은 일이다. 테스팅으로는 확인할 수 없을 것이다.

Virtualization is one key mechanism for increasing the separation between two or more software partitions executing on the same underlying hardware. Virtualization allows the generation of virtual environments, which present the underlying system to different software partitions in isolation. Virtualization can therefore be used to separate safety-related and regular software by allocating software of different criticality to separate partitions. A hypervisor is typically used to control the resource allocation as part of the virtualization scheme.

가상화 개념을 도입한 MPU가 나왔는데,… 개발자는 그냥 믿고 쓰면 되는건가? ㅎ 뭘보고 ??

ARM processors have various mechanisms for supporting software isolation and virtualization. In the Cortex-M microcontroller range, memory protection unit (MPU) can be used for task isolation. The new ARMv8-R architecture supports virtualization directly by providing a separate hypervisor mode, which can be used to run a trusted hypervisor, ensuring separation between different virtual machines executing in separate partitions. The Cortex-A series processors, which implement either ARMv7-A or ARMv8-A architectures, support separation via a memory management unit (MMU) and a hypervisor mode.



IEC 60601-1:2005+A1:2012. Medical electrical equipment – Part 1: General requirements for basic safety and essential performance.

IEC 62304:2006. Medical device software – Software lifecycle processes.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s