Specializing in Medical Device Software Development, Testing, and Remediation
Software Development
Software Development
From initial development to project management, we do it all. CriTech takes a high-level set of system or software requirements for a product and creates safe, reliable software that meets your needs. During development, our project management plans and regular status reports provide visibility into each of the activities required for successful software development. At every phase of the project, our critical software development process provides detailed guidance for all development activities, including:
- Cybersecurity Risk Management
- Software Development
- Project Management
- Software Risk Management
- Software Configuration Management
- Software Quality Assurance
- Verification
Communications Development
Good communication is essential. We provide communications solutions for a variety of protocols, including Health Level 7 (HL7) — used for both hospital information systems (HIS) and laboratory information systems (LIS) — as well as:
- Controller Area Network(CAN)
- Ethernet Networks
- Bluetooth™ Networks
- DeviceNet Networks
- IDB Networks
- Proprietary Networks
Software Testing
Independent Verification
CriTech provides a variety of software testing services, from development of plans, designs, test cases, and procedures to actual test execution and reporting. We offer complete independent verification of the software for your product.
Throughout the testing, we follow an IEEE compliant verification and validation process that results in documentation that aids technology transfer to the customer at the end of the project. The products we have worked on have consistently achieved 100% first-time approval from both FDA and EU Notified Bodies.
Intended-Use Validation
Intended-use validation confirms and documents that a specific software application or system produces the intended or specified results. We develop and execute intended-use validation procedures for software-based tools used in the development and manufacturing of medical devices. We also offer this service for software contained within the device itself.
Software Risk Management
CriTech provides a complete set of documentation that captures the results of the software risk analysis, including the software hazards list and associated risk control measures, the set of fault trees with identified Single Points of Failure (SPOFs), and recommendations for mitigating the SPOFs. A traceability matrix links the software risks to their associated test cases and test results.
CriTech’s software risk management meets the applicable requirements of ISO 14971 and the IEC 62304 risk management process.
Cybersecurity Services
CriTech provides software cybersecurity services for new medical device development and legacy device remediation.
CriTech offers services for both Pre-Market and Post-Market devices.
Our Pre-Market services are focused on identifying and mitigating cybersecurity risk. We perform cybersecurity risk analysis and control to assess and recommend changes to the system design. We then carry out various levels of testing to ensure the system correctly implements the cybersecurity risk mitigations. Both static analysis and dynamic penetration testing are performed. Key activities are:
- Cybersecurity Threat Modeling, including identification of Trust Boundaries
- Cybersecurity Risk Analysis – intended to assess the potential vulnerabilities, threats, and impacts of a device
- Cybersecurity Risk Control Measures – intended to add risk control measure to each identified risk as well as its corresponding risk level
- Vulnerabilities Assessment – identifies any known vulnerabilities inadvertently incorporated into the system's software
- Penetration Testing – focused on ensuring proper implementation of the cybersecurity risk (requirements), exercising interfaces between the components, and misuse and fuzzy testing
- Preparation of Cybersecurity Bill of Materials (CBOM)
Our Post-Market services focus on the needs of ensuring any newly uncovered cybersecurity risk is identified and remediated quickly and efficiently.
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk
- Maintaining robust software lifecycle processes that include mechanisms for:
- monitoring third party software components for new vulnerabilities throughout the device’s total product lifecycle
- design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to off-the-shelf software
- Understanding, assessing, and detecting presence and impact of a vulnerability
- Establishing and communicating processes for vulnerability intake and handling
- Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond, and recover from the cybersecurity risk
Due Diligence
In the process of acquiring medical device companies or licensing their technologies, many of our customers have had challenges determining the state of the software’s compliance to FDA, European, and other worldwide standards. CriTech will examine the software’s Design History File of the potential acquisition and provide a report on the compliance and completeness of the device’s software. If needed, we can perform a more in-depth and rigorous investigation into the quality of the software and its related documentation, including detailed reviews of software verification.