Software in Medical Devices – Update for Q1/Q2 2024 The past year, as in previous…
Software in Medical Devices – Update
Software in Medical Devices – Update
This is a continuation of the software updates I have been sending out.
Software Recalls 2014
Last update we noted the FDA report and recalls for 2013. We have been following the recalls for 2014 and there were a number of recalls that are listed for 2014 where software played a role in the recall. The following are few examples of recalls for 2014 involving software directly:
- Spacelabs Healthcare Ltd., ARKON Anesthesia Delivery System with Version 2.0 Software – software defect causes the system to stop working.
- Baxter Healthcare Corporation, Sigma Spectrum Infusion Pumps with Master Drug Library Model No. 35700BAX and 35700ABB – a system error occurs when the software improperly detects that the door is open when it is physically closed.
- CareFusion 303, Inc., Alaris Pump Module (Model 8100), Version 9.1.18 – software may not properly delay an infusion with “delay until” option or “multidose” feature.
- Baxter Corporation Englewood, ABACUS Total Parenteral Nutrition Calculation Software, Versions 3.1, 3.0, 2.1, and 2.0 – software errors may cause toxic or overdose symptoms.
- Covidien, Puritan Bennett 840 Series Ventilator – software problem causes the ventilator to stop functioning, triggering the safety alarm and causing the patient to suddenly be required to breathe on his or her own.
- McKesson Technologies, McKesson Anesthesia Care – patient case data may not match patient data.
There are other recalls where the software did play a passive part where it did not mitigate the problem where it was possible to mitigate it. If the companies would have done the risk analysis covering all bases, then they would have found the risks and mitigated them accordingly using, also, the software.
FDA Health IT Report
The FDA, together with the FCC and the ONC, issued the FDASIA Health IT Report in April 2014. The report contains the proposed strategy and recommendation for a risk based framework.
http://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProduct sandTobacco/CDRH/CDRHReports/UCM391521.pdf
NASA Software Verification Article
There was an article on software verification by NASA in the ACM Journal which was related to by SoftwareCPR (software consulting group in the US for medical devices):
NASA issued the ISO-C99 standard for flight software. The coding standard has 6 levels of compliance based on safety. NASA uses 4 SCA tools – Coverity, Codesonar, Semmle and Uno. NASA developed an in-house tool called Scrub that combines the output of all 4 SCA + peer reviews. NASA also used a free logic model checker called Spin to mitigate multi-threading issues.
AAMI TIR50 Post Market Surveillance of Use Error Management
The AAMI is releasing (not released yet but a preview edition is available in the AAMI website) TIR50:2014 Post Market Surveillance of Use Error Management. The document addresses the issue of use error detection for medical devices from the clinical, manufacturer, patient, user and regulatory perspective. The goal of the document is to provide guidance on how these individuals can best collect, assess and leverage post-market use error data to mitigate product risk, and to improve product safety and usability.
Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices
The FDA has released the draft guidance for the Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices on May 13, 2014.
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm396209.htm
Framework for Improving Critical Infrastructure Cybersecurity
The NIST released the Framework for Improving Critical Infrastructure Cybersecurity, version 1 on 12/2/14. This does not specifically relate to medical devices, but should be looked over by all developing cyber software (if you don’t know what cyber software is, then this document is not for you).
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
Electrosurgical Devices for General Surgery
The FDA has released a draft guidance for Premarket Notification [510(k)] Submissions for Electrosurgical Devices for General Surgery on 24/3/14. Software in the electrosurgical devices is mentioned here and should be related to by all device manufacturers in this field.
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm383206.htm
Guidance on medical device stand-alone software (including apps)
MHRA issued the Guidance on medical device stand-alone software (including apps) on 19/3/14. The guidance is meant for healthcare and medical software developers who are unsure of the regulatory requirements for CE marking stand-alone software as a medical device.
http://www.mhra.gov.uk/Howweregulate/Devices/Software/index.htm
Global Unique Device Identification Database
The FDA has issued the guidance on Global Unique Device Identification Database (GUDID) on 27/6/14. This document supersedes all previous versions. This is designed to help labelers prepare to submit information to the GUDID by describing key GUDID concepts such as accounts, user roles, the device identifier record life cycle, package configurations, and the GUDID data attributes and descriptions.
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM369248.pdf
Electronic instructions for use of medical devices
Commission regulation (EU) no. 207/2012 of 9 March 2012 relates to using electronic forms (PDF, HTML, etc.) for providing instructions for use (IFU). This is important for all medical device manufacturers who want to supply the user manual electronically and not hardcopy.
http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:072:0028:0031:en:PDF
Guidance on EU Commission Regulation 207/2012
The MHRA released on 9/1/13 this regulation dealing with electronic labeling of medical devices. References the Commission regulation (EU) no 207/2012.
http://www.mhra.gov.uk/Howweregulate/Devices/Devicesregulatorynews/CON222581
Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices
The FDA released the draft guidance for Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices on 20/6/14. This guidance’s purpose is to inform manufacturers, distributors, and other entities that the FDA does not intend to enforce compliance with the regulatory controls that apply to MDDS, medical image storage devices, and medical image communications devices, due to the low risk they pose to patients and the importance they play in advancing digital health. This is not open season to declare all systems as MDDS but what is a MDDS is now deregulated.
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm401785.htm
FDA Blog on MDDS
Bakul Patel is a senior policy advisor at the FDA/CDRH. He posted a blog explaining the why the FDA is encouraging organizations to take advantage of the MDDS ruling.
http://blogs.fda.gov/fdavoice/index.php/2014/06/fda-encourages-medical-devicedata-system-innovation/
IEC 62304
The update for the IEC 62304 (Software Development Life Cycle) has passed (SII has voted to approve it based upon my recommendation) and should be issued sometime late 2014. This update (listed as Edition 1.1) adds a flow for determining the Software Safety Classification, relates to validation of legacy software, and other miscellaneous clarifications and minor technical changes. A capability assessment for meeting the standard should be released as a separate Technical Report late 2014. Edition 2 of the standard is in committee and is expected 2015/16.
Static Code Analysis
Static Code Analysis (SCA) is still an issue and is being utilized by the FDA in more submissions than in the past.
We recommend that you think this through during the development phase, especially, if you are a high-risk project (Major LOC, PMA, 510/K De Novo, infusion pump, or any other special case).
We feel that in the future, the FDA will require the SCA report as a standard for all submissions (it saves them the trouble of asking for it).
IEC 60601
EN60601-1:2006 + A1:2013 (edition 3.1) has been harmonized under the MDD This edition references IEC 14971:2007 for risk management, IEC 62304:2006 for software development life cycle and IEC 62366:2007 for usability engineering.
ISO 14971 vs IEC 60601
There has been much noise over the concept of risk management in medical devices. ISO 14971 is defined as “Medical Devices – Application of Risk Management to Medical Devices. IEC 60601 is defined as “Medical Electrical Equipment – Part 1: General Requirements for Safety and Essential Performance”. There are those that think that ISO 14971 is a subset of the risk management as defined in IEC 60601. There are the others that believe that IEC 60601 is a standard defining safety and essential performance and not risk management for the device and the risk management is defined in the ISO 14971.
My opinion is of the former. IEC 60601 relates to specific tests (including pass/fail criteria) that have to be performed by a certified laboratory. ISO 14971 states that there are various methods and techniques that can be used to handle risk management and it is the organization’s responsibility to decide how to do and to prove it. As the certified laboratory is not certified for ISO 14971 (there is no certification for ISO 14971), it cannot mandate a specific method or technique and should not interfere with the risk management process in the organization. I have seen good risk analysis performed in projects and terrible risk analysis performed. As the risk analysis (and subsequent risk management) is essential for the safety of the device and the liability associated with its usage, I highly recommend to relate to the interpretation and implementation of ISO 14971 very carefully and seriously.
Future Guidances (still not released and no further info)
- AAMI TIR on Guidance on Health Software Safety and Assurance – future release
- AAMI TIR on Classification of defects contributing to unacceptable risk in health software – future release
If there are any questions or requests, please feel free to contact us.
Mike