Re: [SystemSafety] Therac-25 redux

From: Dick Selwood < >
Date: Sat, 16 Aug 2014 09:25:22 +0100

Moog Medical Products 2011 recalled ambulatory infusion pumps because of software issues which allowed larger doses to be administered

And then they did it again in May 2012, this time because the pumps could suck instead of pump. The company only survives because of being part of a much bigger group.

In a related incident

"Cardiac Science Corporation’s problems with defibrillators (used for resuscitation of heart attack and other trauma victims). The 2009 release announcing the recall talked of issues with resistors, but announced that a software fix would be available. It then recalled 24,000 defibrillators, at a cost of $18.5 million. Customers and shareholders lost confidence and, in 2010, the company was sold."

All this was in an article I wrote in 2012 "Software that can kill"

This discussed the FDA and its work on software and went on to argue for on applying engineering discipline to developing software.


On 16/08/2014 08:12, Peter Bernard Ladkin wrote:
> On 2014-08-16 06:10 , Les Chambers wrote:
>> A quick search of the Internet did not reveal any publication of drug-infusion pump hazards. Is
>> anyone aware of same?
> Yes we are (I much less than some others here). Vulnerabilities with medical devices, especially
> implantable medical devices, are a big thing. Harold Thimbleby at Swansea has been working on it for
> a couple decades. He's primarily an HMI guy but we wrote a couple papers on security and safety. He
> has an award-winning book on interface design with MIT Press called Press On.
> Ross Anderson at Cambridge is aware of the issues with medical device security, but works primarily
> in other areas. He was at Black Hat this year, where the IOActive stuff on the Cobham kit was
> presented. He does have some strong opinions on the state of the practice in medical-device security
> Barnaby Jack was one of the best known (that is, notorious) security thespians. I understand he was
> about to demo defibrillator and infusion-pump vulnerabilites at Black Hat last year when he
> overdosed himself on recreational and other drugs a week before. He has a Wikipedia page, which one
> can be sure was not written by him :-)
> You have to be somewhat careful of the "security theatre" surrounding medical-device
> vulnerabilities. I am told that patient welfare is not being well served by the current addiction to
> media exposure. Indeed, it is one of the three topics in the paper I wrote a week ago for the
> upcoming SSS in February in Bristol . (One of the others is, by
> request, MH 17. It is about how one might do security risk assessment. It turns out to be different
> in some crucial ways from safety risk assessment.)
> There are indeed stories to be told, and recently I have been reading some. Neither Harold nor Ross
> is on this list, but one of our lurkers is a renowned expert on medical-device safety and security.
> One of the big problems, not well served by security theatre, is that some of the implantable kit
> was designed and implanted quite a while ago, before people paid that much attention to the kind of
> antics security thespians can get up to nowadays. But fixing it, that is, updating a device,
> requires more surgery, which is not without risk and of course considerable inconvenience to the
> patient. That has to be balanced against the chances that some jerk behind you in the line at
> Starbucks will reprogramme your defibrillator with a phone.
> I would imagine that one of the reasons this topic is hitting the press now is, as The Economist
> hinted, the US FDA appears to be embarking on a push to get this all sorted.
>> This brings me to my point: wouldn't it be great if we had a readily accessible ontology of hazards
>> for various application domains. It's an obvious idea. Is anyone aware of discussions along these
>> lines?
> I think, from what I understand, that that's part of the FDA plan. It's certainly part of general EU
> planning: Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore
> have a report "Security Economics and the Internal Market" for ENISA, which says as one of its first
> recommendations that there should be vulnerability databases with compulsory notification requirements.
>> "Open source" hazard ontologies would solve the problem of corporate memory loss, amnesia and
>> denial.
> Yes, but I doubt there is any chance. Too much proprietary information is involved for any effective
> vulnerability catalogue to be public.
> Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
> Tel+msg +49 (0)521 880 7319
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx >
> -----
> No virus found in this message.
> Checked by AVG -
> Version: 2014.0.4716 / Virus Database: 4007/8041 - Release Date: 08/15/14

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Sat Aug 16 2014 - 10:25:45 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST