The continuum of safety-related delivery

One of the biggest challenges as a functional safety consultancy, is marrying up modern software methods and techniques with safety related requirements, and at the same time trying not to be over restrictive with the methods and processes and the advantages these can bring. In this blog we look at how continuous delivery can be implemented in safety related software projects.

Software teams using tools such as Jenkins or TeamCity are able to run automated verification on a continuous basis. This continuous integration can significantly accelerate the process of verifying code, but what happens after that?

As we look at the right-side of V-models in IEC 62304 or ISO 26262, we move through the activities of verifying software units and then integrating these into the software items (or architecture) and then further verifying at that level. Depending on the product there has been traditionally an integration phase with the hardware platform.

Software as a Medical Device

With the world moving steadily towards more software-based solutions, such as the use of mobile apps to assist clinicians, much of the verification is now automated. This is illustrated in the case of medical devices in graphic below:

The International Medical Device Regulators Forum (IMDRF) has undertaken a significant piece of work on the topic of software as a medical device (SaMD). This has already been implemented in IEC 82304-1 and will be in the next version of IEC 62304. This brings us to the verification of software that has no dedicated hardware platform, hence has no integration with hardware and corresponding verification.

We have not reached a point where continuous deployment is really practical, i.e. when software is automatically shipped to the customer with no manual intervention, due to the completion of activities in IEC 62304, IEC 82304-1 and ISO 14971. However as a result of the updates, these steps can be concluded relatively quickly before shipping the code to the customer. For now, validation activities are still very much in the human domain and where software changes require regulators’ approval prior to release, there is an additional manual step. Yet it is clear that the automated verification has some major advantages and providing the requirements are captured properly, this should ensure the correct automated tests are defined.

In a world where cybersecurity risks are gaining ever increasing attention, the ability to update and test code in a timely fashion is becoming more important. This is certainly made easier through automated testing.

Above all, the focus of fulfilling requirements and ensuring risk acceptability must not be circumvented or diminished, but continuous integration has a major role to play in safety related industries.

In the second part of this blog we look at the tools and techniques for continuous integration in-line with activities defined in safety related standards. Read the article here.

By Alastair Walker, Consultant