In almost everything in quality there are multiple facets of responsibility. The same applies when we talk about cyber security and threat assessment. So how do we protect those who depend on the products and services we provide?
Market demands for increasingly intelligent products — coupled with rapidly evolving software and wireless technology — provides the means for companies to deliver exactly what the market demands. What is equally clear is that the ability of companies to assess the risk for the user and their privacy is not coming close to keeping pace with these advances. Just because the capability for smart devices is more readily available is no guarantee that prudent product management decisions are being made. The media is filled with stories about misuse of everything from baby monitors to auto-assist parking in late-model vehicles.
I recently attended a seminar concerning FDA regulatory requirements specific to software as a part of a medical device, or in some cases, the device itself. Half of the two-day event was devoted to putting the attending companies on notice that the responsibility for prudent Risk Assessment and Controls was squarely on the product provider. The FDA, like aerospace and automotive manufacturers, is strengthening its guidance documents and position on cyber security, governance, definitions, and controls for wireless devices. Responsibilities related to enforcement are being shared with NIS, and in a smaller role, the FCC here in the U.S. A complete and cogent understanding of what is required for prudent development and risk management for software relative to compliance is currently all over the map.
There are manufacturers of smart toys that communicate with your child as well as smart TVs that record at least some of the interaction with the consumer and send it wirelessly back to the developer. Many companies partner with a software development organization and simply purchase the technology with little understanding of the potential for misuse and harm to the consumer. On the other end of the spectrum are companies like Google, who know they have a lot of skin in the game. They actually have a position that consists of a tightly managed group of savvy hackers who spend all their time doing their best to hack every line of code the Google developers write. The goal is to harden the code and thwart the cyber criminals before they can harm the Google user community.
Looking at litigation related to software as part of a product, the courts seem to be taking the same position as the FDA: The product provider has the majority of responsibility for assuring that a prudent assessment of risk resulted in reasonable steps to mitigate the potential for misuse. This appears to extend to even inadvertent misuse, particularly by children and the elderly.
Risk assessment, mitigation, and controls are no longer a nice-to-have component of a quality and compliance system. Every company needs to assure that it has included prudent risk assessment and controls against the potential misuse of all of their offerings. Extend your thinking about standard risk calculations to include normal, out of process, and misuse as conditions for assessment:
- Begin conducting regular design risk management meetings as part of your product management process.
- Make sure you include this mindset in your test and quality assurance programs and in your assessment of warranty claims and customer feedback.
- Treat your CAPA and complaint process as an early warning system that the users of your product may be exposed to a cyber-threat and potential harm, even inadvertently.
- Take the proper steps to assure your company does not stumble in the race to embrace new technology.
The sizzle of enticing new features is great, but make sure your customers don’t choke on the steak.
Mary V. McAtee is technical pre-sales consultant for Siemens PLM’s QMS business unit. A member of the Siemens QMS organization for over 20 years, McAtee is a 40-year quality professional specializing in reliability engineering for semiconductor and nuclear devices. She won the General Manager’s Award at New England Research Center for developing R&D-centric quality management systems for the output of the research scientists. McAtee is an exam-qualified lead assessor for ISO9001, ISO 14001, TS16949, ISO 13485, and TickIT. She is also the QMS Lexington quality manager and a lead assessor in the Siemens PLM quality organization.