Tuomas Granlund

Vlad Stirbu, Tuomas Granlund, Tommi Mikkonen

Continuous software engineering has become commonplace in numerous fields. However, in regulating intensive sectors, where additional concerns needs to be taken into account, it is often considered difficult to apply continuous development approaches, such as devops. In this paper, we present an approach for using pull requests as design controls, and apply this approach to machine learning in certified medical systems leveraging model cards, a novel technique developed to add explainability to machine learning systems, as a regulatory audit trail. The approach is demonstrated with an industrial system that we have used previously to show how medical systems can be developed in a continuous fashion.

Vlad Stirbu, Tuomas Granlund, Jere Helén et al.

Software of Unknown Provenance, SOUP, refers to a software component that is already developed and widely available from a 3rd party, and that has not been developed, to be integrated into a medical device. From regulatory perspective, SOUP software requires special considerations, as the developers' obligations related to design and implementation are not applied to it. In this paper, we consider the implications of extending the concept of SOUP to machine learning (ML) models. As the contribution, we propose practical means to manage the added complexity of 3rd party ML models in regulated development.

Tuomas Granlund, Aleksi Kopponen, Vlad Stirbu et al.

The emerging age of connected, digital world means that there are tons of data, distributed to various organizations and their databases. Since this data can be confidential in nature, it cannot always be openly shared in seek of artificial intelligence (AI) and machine learning (ML) solutions. Instead, we need integration mechanisms, analogous to integration patterns in information systems, to create multi-organization AI/ML systems. In this paper, we present two real-world cases. First, we study integration between two organizations in detail. Second, we address scaling of AI/ML to multi-organization context. The setup we assume is that of continuous deployment, often referred to DevOps in software development. When also ML components are deployed in a similar fashion, term MLOps is used. Towards the end of the paper, we list the main observations and draw some final conclusions. Finally, we propose some directions for future work.

Tuomas Granlund, Juha Vedenpää, Vlad Stirbu et al.

The medical device products at the European Union market must be safe and effective. To ensure this, medical device manufacturers must comply to the new regulatory requirements brought by the Medical Device Regulation (MDR) and the In Vitro Diagnostic Medical Device Regulation (IVDR). In general, the new regulations increase regulatory requirements and oversight, especially for medical software, and this is also true for requirements related to cybersecurity, which are now explicitly addressed in the legislation. The significant legislation changes currently underway, combined with increased cybersecurity requirements, create unique challenges for manufacturers to comply with the regulatory framework. In this paper, we review the new cybersecurity requirements in the light of currently available guidance documents, and pinpoint four core concepts around which cybersecurity compliance can be built. We argue that these core concepts form a foundations for cybersecurity compliance in the European Union regulatory framework.