Skip to content

Software in Medical Devices – Software Update 22/01/14

Software in Medical Devices – Update

We have previously written about various aspects of the software life cycle development process, especially, the verification and validation activities. We would like to present you with an update on what is happening in the regulatory arena and how the regulatory groups are checking up on what we are doing.  We will try to keep you informed every so often, but please remember that the standards development process is a very long process and they don’t change

Software Recalls 2013

The estimate for software recalls by the FDA for 2013 is 197. The software recalls for 2012 were 173, for 2011 were 177 and for 2010 were 76. The sources state that   it’s not clear why the numbers are rising – either a decrease in software safety, an increase in the number of software devices or an increase in reporting.

Static Code Analysis

Static Code Analysis (SCA) is a pet subject we bring up in each update because the topic is very much evolving. About 7 years ago we brought back from a conference with the FDA the idea that the FDA can request your source code and then run a  SCA tool on the code. About 4 years ago we found our first Israeli company who was required to send their source code to the FDA, so we realized that this is serious business.

In the past year, the FDA has requested the Static Code Analysis Report from a number of companies. In some cases, the company purchased the SCA after the report was requested. This added about 2 – 3 months to clean up the software and prepare the clean report. A number of other companies have purchased the tool prior to being requested for the report and saved the time.

We recommend that you think this through during the development phase, especially if you are a high-risk project (Major Level of Concern, PMA, 510/K De Novo, infusion pump, or any other special case).

We feel that in the future, the FDA will require the SCA report as a standard for all submissions (it saves them the trouble of asking for it).

UID (Unique Device Identification)

The FDA has issued the UID Final Rule on 24/9/13. The FDA also issued the draft guidance for the Global Unique Device Identification Database (GUDID). This is designed to help labelers prepare to submit information to the GUDID by describing key GUDID concepts such as accounts, user roles, the device identifier record life cycle, package configurations, and the GUDID data attributes and descriptions.

FDA has accredited the first two organizations (GS1 US and Health Industry Business Communication Council (HIBCC)) to allocate UDI identifying codes. This is required under the new FDA UDI rule, which requires all medical devices to have a unique identifier.

Computational Modeling Studies            

The FDA has issued a new draft guidance “Reporting of Computational Modeling Studies in Medical Device Submissions”. This guidance for use of computational modeling and simulation (CM&S) studies in premarket submissions provides recommendations to industry on the formatting, organization, and content of reports of CM&S studies that are used as valid scientific evidence to support medical device submissions. The FDA has been encouraging companies to focus on modeling studies with a goal that they could eventually replace costly bench and animal studies. Download guidance at  http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm371016.htm.

Evaluation of Risk Management

IECEE published the Evaluation of Risk Management in medical electrical equipment according to the IEC 60601-1 & IEC/ISO 80601-1 (OD-2044 Ed.2.2) on 20/11/13.

Download document at  http://www.iecee.org/Operational_documents/iecee_documents/od- 2044_ed.2.2.pdf.

FDA Security Breach

Reuters reported that the U.S. Food and Drug Administration is under pressure from the pharmaceutical industry and lawmakers to undergo an independent security audit, after hackers broke into a computer system used by healthcare companies to submit information to the agency. Full article is found at

https://in.reuters.com/article/cyberattack-fda-drugmakers/drugmakers-urge-fda-security-audit-after-cyber-breach-idINDEE9BH00N20131218

Medical Device Development Tool Guidance

This document provides draft guidance on a voluntary process for qualification of medical device development tools (MDDT) for use in device development and evaluation programs. An MDDT is a scientifically validated tool – a clinical outcome assessment (e.g. patient-reported or clinician-reported rating scales), a test used to detect or measure a biomarker (e.g. assay for a chemical analyte or medical imaging method), or non-clinical assessment method or model (e.g. in vitro, animal or computational model) – that aids device development and regulatory evaluation.

Download guidance at  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM374432.pdf.

Mobile Medical Applications Guidance

This document provides a guidance on what is a mobile device and how to relate to it as a medical device. This is a final guidance (draft was issued 21/7/11) issued 25/9/13. It is not very comprehensive and leaves a lot to the imagination of the submission. Download guidance at  http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm263366.pdf.

Australian Regulation of Medical Software

The Australian Department of Health released the Regulation of Medical Software and Mobile Medical Apps on 13/9/13. Download guidance at

http://www.tga.gov.au/industry/devices-software-mobile-apps.htm#.UuDyhhBBvGg

IEC 62304

The update for the IEC 62304 (Software Development Life Cycle) has passed and should be issued sometime Q1/14. This update (listed as Edition 1.1) adds a flow for determining the Software Safety Classification, relates to validation of legacy software, and other miscellaneous clarifications and minor technical changes. A capability assessment for meeting the standard should be released as a separate Technical Report mid-2014. Edition 2 of the standard is in committee and is expected 2015/16.

IEC 60601

Amendment 1 for the third addition was released July 2012 (known as edition 3.1). This edition references IEC 14971:2007 for risk management, IEC 62304:2006 for software development life cycle and IEC 62366:2007 for usability engineering.

ISO 82304-1, Healthcare Software Systems

ISO 82304-1, Healthcare Software Systems – Part 1: General Requirements for Product Safety – to be released maybe later this year. Relates to standalone health software (software intended to be used specifically for maintaining or improving health of individual persons, or the delivery of care). There is a draft copy out.

Validation of Software for Regulated Processes

ISO/IEC TR 80002-02, Medical device software – Part 2: Validation of software for regulated processes – to be released maybe later this year. This refers to software used in the all other aspects in the organization. Current guidance is TIR36:2007.

IEC 80001 Series

IEC 80001 is the application of risk management for IT-networks incorporating medical devices. This is the risk management doctrine for hospitals, etc. employing medical devices on the network. If you supply your system to a hospital, you may be requested to let the hospital know if you are 8001 compliant. The released standards are:

  • IEC 80001-1:2010, Part 1: Roles, responsibilities and activities
  • IEC 80001-2-1:2012, Part 2-1: Step by step risk management of medical IT- networks – Practical applications and examples
  • IEC 80001-2-2:2012, Part 2-2: Guidance for the disclosure and communication of medical device security needs, risks and controls
  • IEC 80001-2-3:2012, Part 2-3: Guidance for wireless networks
  • IEC 80001-2-4:2012, Part 2-4: General implementation guidance for Healthcare Delivery Organizations

Cybersecurity

The FDA issued the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices on 14/6/13. Download guidance at  http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocu  ments/ucm356186.htm.

Wireless Technology

The FDA issued the Radio Frequency Wireless Technology in Medical Devices on 14/8/13. Download guidance at  http://www.fda.gov/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm077210.htm

Patient-Centric Integrated Clinical Environment (ICE)

ASTM released the Medical Devices and Medical Systems – Essential safety requirements for equipment comprising the patient-centric integrated clinical environment (ICE) – Part 1: General requirements and conceptual model in 2013. It is not clear where this comes into play.

Future Guidances

  • AAMI TIR on Guidance on Health Software Safety and Assurance – future release
  • AAMI TIR on Classification of defects contributing to unacceptable risk in health software – future release

We will expound on these issues and more in the future and will update you accordingly. We will also try to get out the updates more often. If there are any questions or requests, please feel free to contact us at the email listed below.

Mike

Download the Full Update

 

Back To Top
Search