Software in Medical Devices – Update for Q1/Q2 2024 The past year, as in previous…
Software in Medical Devices – Update for Q3/Q4 2018
Software in Medical Devices – Update for Q3/Q4 2018
This is a continuation of the software updates I have been sending out. Please check out all the references to download and/or to purchase. If you have any questions, please contact us.
Software is everywhere in medical devices and IVDs. The FDA and CE are becoming more pedantic on how they review and relate to software. The number of companies getting into the field is growing and the amount of software being developed for medical is very large.
The is an emphasis on “digital health” where the FDA is fast-tracking many devices (even though it is only software, it is still a medical device). Just because it is software only, this doesn’t mean that you are free from all the regulations, including a quality management system, risk analysis, etc.
There are rumors that the FDA will get rid of the differences in the documentation to submit for the Level Of Concern (LOC). If and when this happens, all submissions will probably be like a Major LOC of today, including the static code analysis report.
Software Recalls Q3-Q4 /2018
We have been following the recalls and there were a growing number of recalls that are listed where software played a role in the recall. There were even a number of Israeli companies who made recalls due to software issues. The following are additional examples of recalls involving software directly as listed on the FDA website. There were over 120 recalls in this period relating to software, including a number of class 1 recalls. There may be more but classified not under software directly.
- Puritan Bennett 980, Class I – Software Update: External USB Drive performance and its impact on Graphic User Interface (GUI) functionality and labeling of the scalar waveform displayed on GUI during ventilation.
- BrightMatter Guide, Class I – This recall has been initiated due to a software defect found in the Guide System software when used with NICO BrainPath ports under certain circumstances. When one trajectory is set with a blue port and another trajectory is set with a gold port, the software defect is triggered when the user switches between these trajectories during a surgical procedure.
- Arkon Anesthesia Delivery System, Class I – Spacelabs Healthcare recalled the Arkon Anesthesia Delivery System due to the system going into a “failed state,” during which the mechanical ventilation function stops working, while the machine is in use, or while idle. The firm has not identified the reason for the failed state. When the machine goes into a failed state, a buzzer sounds, and the following image is shown on the large display monitor: Warning image, which consists of a yellow triangle with black exclamation point, and images of hands using manual ventilation, and a hand selecting emergency oxygen. Caption: Failed state warning image, which alerts users of the error, and indicates that manual ventilation and emergency oxygen are available alternatives. During the failed state, the anesthesiologist cannot access mechanical ventilation or monitor ventilation, which could increase the risk of patient injury.
Emergency oxygen, vaporized agent delivery, and manual ventilation are still available. The firm has not received any reports of malfunctions, injuries, or deaths. Continued use of this product may cause serious adverse health consequences, including death. - CAPNOSTREAM 20, Class II – The date/time, nurse call and alarm settings of the bedside patient monitors may reset to the factory default settings when the monitor is powered off.
- Integrated Gate Controller PCB, Class II – RTInterface error in the event of an I/O error between the IGC PCB and the Framegrabber PCB.
- OptiMedica Catalys Precision Laser System, Class II – Software upgrade exhibits failures when executing Daily Alignment Verification (DAV), specifically, cuts on the plastic hemisphere during DAV do not match the intended cuts shown on the treatment overlay screen on the system GUI.
- TrueBeam Radiotherapy Delivery System, Class II – Reports have been received of an anomaly that can result in a treatment without intended gating (respiratory tracking/monitoring). This issue occurs when a patient planned with gating is treated on more than one system.
- VitalBeam Radiotherapy Delivery System, Class II – Reports have been received of an anomaly that can result in a treatment without intended gating (respiratory tracking/monitoring). This issue occurs when a patient planned with gating is treated on more than one system.
- ABL90 FLEX Analyzer, Class II – The ABL90 FLEX can aspirate Cal 2 solution instead of rinse solution, when the following take place: The analyzer is in ready mode Operator lifts the inlet and then closes it again, thereby initiating a rinse Immediately after lifts the inlet and quickly closes it again.
- ddR Formula B X-ray System, Class II – Possible injury due to movement of the arm, calibration loss and communication loss.
- GG8 Automated HPLC Analyzer-723G8, Class II – Analyzers were distributed with software which lacks a 510K.
- Hoffmann LRF Hexapod Software, Class II – When creating a correction plan with the Correct Axial First button selected and the No. of corrections per day set to more than 1 (e.g., 2, 3, or 4), the Hexapod Software computes an erroneously accelerated correction plan for the axial portion of the plan.
- Model 3300 LATITUDE(TM) Programming System, Class II – There is a potential for the Pacing System Analyzer (PSA) to exhibit unintended cross chamber stimulation.
- VISUALASE THERMAL THERAPY SYSTEM, Class II – Inaccuracy of MR thermometry during MRI-guided laser ablation procedures using the Medtronic Visualase Thermal Therapy System may result in unaccounted spread of thermal energy to the surrounding tissue.
- 2008T HEMODIALYSIS SYSTEM, Class II – In the hemodialysis machine during the cleaning/disinfection program, when there is a power failure or interruption, the dialysis program button should be greyed out when the machine is powered up and a mandatory rinse should be required. However, if a power failure or interruption occurs during the cleaning/disinfection program with the auto-start feature enabled, the machine enters the dialysis program even though the dialysis program button is disabled and the mandatory rinse has not been performed. As a result, disinfecting chemical may not be completely removed from the machine before starting a treatment and disinfectant could exist in the
dialysate delivered to the patient. - AIRO Mobile CT System, Class II – The Tube Current Modulation feature (Modulated Scans) is not working in AIRO systems with software version 2.0.0.0, and operators would not be able to detect this fault until after a scan is completed.
- Makoplasty RIO Standard System, Class II – Communication-connection error.
- Canon DRAD-3000E (Radrex-i) TFP-4336W, Class II – It was found when an operator performs a radiography using the wireless flat panel detector (FPD), a message window was displayed on the monitor stating image transmission was not completed and there was no image. It also showed the OK button to reacquire image data form the FPD, and the Cancel button to cancel the reacquisition. When the operator selects the OK button, the same message window appears. The operator then repeated the same operation several times and finally selected the Cancel button to quit the reacquisition mode.
- McKesson Cardiology Hemo, Class II – Change Healthcare has identified an issue where, under certain circumstances, the Real Time Monitor (RTM) may not display physiological signals.
- 20) VidiStar PACS & DICOM Viewer SW System, Class II – The secure file system client software used in the interface between the Vidistar PACS and an EHR system may cause intermixed images from multiple patients showing in a single study.
- Liebel-Flarsheim Digital Imaging System, Class II – The difference between the display and dosimeter readings In the Child/Pediatric automatic exposure mode is in the range of 52-65%. The display in all other modes deviated by less than 35% from the dosimeter readings.
- Ortho Kinematics Vertebral Motion Analyzer, Class II – The Vertebral Motion Analyzer (VMA) test contained an error. The error occurred due to a software bug that has been corrected.
- G8 Automated HPLC Analyzer, Class II – HbAE is known to interfere with the HbA1c assay on the current version of software, Ver. 5.23. Customers should exercise caution when reviewing chromatograms and ensure that Flag 43 is enabled on their device to avoid reporting invalid test results in the presence of HbAE.
- ENVOY 500 ISE CALIBRATOR, Class II – Envoy 500 systems are observing trouble while calibrating with some vials. Users contacted the firm when they received the messages “ISE OUT OF REPRODUCIBILITY” or “ISE SLOPE OUT OF RANGE” (i.e., failed calibration). This has resulted in delay in obtaining patient results until the calibrator lot is replaced.
- NS Therapy Programming System, Class II – Unintended warning message displayed on generators programmed with a Model 3000 v.1.0.2.2 programmer.
- Siemens SOMATOM Systems, Class II – A potential risk of unnecessary radiation exposure due to a software issue.
- CardioMEMS HF, Class II – Abbott is advising customers that a small number of CardioMEMS(R) Hospital Electronics Systems (Model CM3000) and Patient Electronics Systems (Model CM1100) may deliver a system error, known as Error 5. While this error message is intended to present if the electronics system exceeds a certain temperature, these units may deliver a false Error 5 message due to an incorrectly configured component within the device electronics.
- Forte Automation Patient Positioning System, Class II – Communications between the Patient Positioning System and the accuracy filter can periodically fail with no clear indication to the operator.
- RayStation Treatment Planning System, Class II – The firm has learned that some RayStation/RayPlan users have commissioned machines with erroneous Beam profile correction parameters. These parameters affect the dose calculated in corners of large or off-axis fields. This effect cannot be seen in the Beam Commissioning module and dose in large or off-axis fields needs to be validated using the Beam 3D Modeling module in RayPhysics/RayPlan Physics. The user must be aware to avoid incorrect dose calculations during treatment planning.
- Disinfection unit for Celldiscoverer 7, Class II – Under certain circumstances, the firmware makes it possible for the Disinfection unit UV (432332-9020-000) to activate outside of the Celldiscoverer 7 housing. This may result in exposure of the users to harmful UV radiation.
- Health Harmony Mobile application software, Class II – It was discovered that in certain situations, including partial sessions and when taking adhoc measurements, the patient data was not synchronizing in a timely manner with the backend database, resulting in the patient’s clinician not getting patient data for one or two days.
- RayStation stand-alone SW Treatment Planning, Class II – If the beam model has a highly asymmetric primary source, it is not correctly taken into account in the calculation of DMLC fields when the collimator is rotated. This could lead to potentially significant overdosage at delivery. The user must be aware of the issue to avoid incorrect dose calculations during treatment planning.
- T2100 Micro flex Drive Treadmill, Class II – A performance issue with customer owned spare parts, T2100 Microflex drive (2026182-002 or 2026182-004), was not addressed with a previous safety correction. If these parts were installed from customer owned stock on the T2100 Treadmill, uncontrolled walking belt motion during a stress exercise test could occur.
- Proteus 235, Class II – IBA is conducting a voluntary recall to address a PTS (Proton Therapy System) software issue and to reduce the risk related to this issue. The correction vector confirmation message is lost if access point is changed after sending the correction vector. As a result, the patient will be treated in the setup position or treatment position instead of the corrected position.
- Reliance 1227 Cart & Utensil Washer, Class II – The firm has become aware that the Reliance 1227 Cart and Utensil Washer/Disinfector s Chemical Low Level alarm, intended to prevent the user from initiating a cycle when a low chemical level situation occurs, does not operate as intended. Currently, if a low chemical level situation occurs, the alarm will only be generated at the unit s next power-up or when accessing service mode. The failure of the Reliance 1227 to identify that the chemicals used for cleaning are low or empty could result in bedpans and urinals, basins, case carts, beds, theater shoes and other miscellaneous reusable patient care items not being properly cleaned before disinfection or reuse.
- GE Healthcare CARESCAPE Monitor B650, Class II – When multiple CARESCAPE Monitor B650 units are connected to the same network and a network overload occurs for a prolonged time, the monitors may simultaneously restart as designed. The monitor restart will not be completed until the network issue has been corrected.
- Medtronic MiniMed Paradigm Vea Insulin Pump, Class II – The MiniMedParadigm Veo insulin pump has an error that impacts the Arabic language translation. This translation error occurs in the Predictive Alerts setting screen, which allows user to program alerts that will sound if users are predicted to reach their pre-set low or high sensor glucose values.
- Siemens Artis Q, Class II – After the Large Display returns from power save mode, it may not show an image, and stay black without showing an error message although X-ray is still possible. The problem does not occur during an ongoing procedure. If the problem occurs, the system cannot be operated normally. It may be necessary to cancel or restart the treatment or transfer the patient to an alternate or another system.
- VITEK® 2 Systems Software Version 9.01 Update Kit, Class II – The VITEK 2 Systems Software Version 9.01 software may display incorrect organism identification information as well as the associated Antimicrobial Susceptibility Testing (AST) results when using the VITEK 2 FLEXPREP feature.
- Centricity Universal Viewer Zero Footprint Client, Class II – Issue #1 affects Software Versions 6.0 SP7, SP7.0.1, SP7.0.2, SP7.0.3, SP8, SP8.0.1, SP8.0.a and SP8.0.2. When an image is flipped horizontally and vertically, the orientation markers appear correctly on the image to which they were applied. However, once new image rendering happens on this image or series, the new image orientation is correctly maintained but the display of orientation markers can become incorrect. Issue #2 affects Software Versions 6.0 SP7, SP7.0.1, SP7.0.2, SP7.0.3, SP8, SP8.0.1, SP8.0.a, SP8.0.2, SP9 and SP9.0.1. When an image in a series is flipped and then rotated in Zero Footprint Viewer (ZFP), the orientation markers appear correctly on the image to which they were applied. However, once you navigate to another image in the series and the image you navigated to has a different orientation than the prior image from which you navigated, the new image orientation is correctly maintained but the display of orientation markers can become incorrect.
- B20i Patient Monitor and B20i V2 Patient Monitor, Class II – Patient monitors may restart due to network overload caused by network configuration.
- STEPHANIX D2RS Digital Dynamic Remote System, Class II – The firm has detected a potential risk using the command. After releasing the command, the movement of the table may continue instead of stopping.
- Dash 3000 Patient Monitoring System, Class II – The patient monitors may simultaneously restart as designed if all are connected to the same network and a network overload occurs for a prolonged time.
- Insulia Diabetes Management Companion, Class II – The firm identified an issue with the basal calculator identified on the Android version of the Insulia application. The bug could lead from low-impact to high-impact hypoglycemia depending on the circumstances. A new update of Insulia is now available (version 1.6.42), which resolves this issue.
- Vivo 65 Continuous Ventilator, Class III – Some Vivo 65 devices have an unreleased version of the Firmware upgrade tool.
Proposed IEC 62304 Edition 2, Health Software – Software Life Cycle Processes
The proposed IEC 62304 edition 2 standard has been rejected. The standard went back to committee and they issued an update for review on 18/1/19 with comments due by 15/3/19. If anyone want to see a copy of the draft, please contact me.
ANSI/AAMI SW91:2018, Classification of Defects in Health Software
AAMI has released a guidance on the classification of defects occurring in health software. This guidance provides a common language for all medical device/healthcare companies and regulators in handling software defects. This has been long awaited. The standard can be purchased form the AAMI store.
Release of Software Prior to Regulatory Clearance
We have come across numerous companies who have sent or are planning to send software applications (as the medical device) to various doctors and/or clinics allowing them to evaluate the software application on actual patients prior to receiving the needed clearance. This is a direct violation of the FDA regulatory requirements and will lead to a recall or worse. The FDA has issued recalls for a number of companies who released software as noted here.
Examples of such recalls are found above.
Why the FDA is Fast Tracking Digital Health
Below is a summary of an article I read. This explains why the FDA is fast tracking digital health, as it is a relatively cheap alternative to keeping patients hospitalized or the cost of re-admitting them.
“From aging populations to an increase in costs to a growing demand for affordable and personalized care—the list could go on, but it’s clear the healthcare industry faces a slew of challenges right now. While these may seem like negatives, they have opened the door for a few positives. New, lower-cost technology has the opportunity to replace out-of-date and problem prone medical devices while improving quality and cost of care. In fact, it’s estimated that each year $17 billion is spent on avoidable readmissions that could be solved simply through early intervention and better at-home care. Cloud connectivity and the Internet of Medical Things (IoMT) are adding opportunity to this growing trend.”
Medical Device Regulation
The EU’s MDR is the new rule that replaces the MDD. Medical device companies have until the end of May 2020 to transition to this MDR. The MDR is significantly different than the MDD. Compliance with the MDR is more difficult than it has been in the past, since there is no “grandfathering” for existing products, all manufacturers will need to review their current devices against the regulation’s requirements. Though it might seem like a long way off, organizations should start preparing now for the MDR.
Key changes included in the new MDR are:
- A wider scope of regulated medical devices
- At least one person responsible for regulatory compliance
- Definition of common specifications
- More stringent clinical evidence and documentation
- Increased focus on identification and traceability
- Unannounced factory audits
- Increased Notified Body authority and/or involvement
- More rigorous vigilance and market surveillance
Health Canada Medical Device Regulation
Health Canada recently issued a guidance on cybersecurity requirements and recommendations for Medical Device License (MDL) applicants. The guidance can be accessed at:
https://www.canada.ca/en/health-canada/services/drugs-healthproducts/public-involvement-consultations/medical-devices/consutationpremarket-cybersecurity-profile/draft-uidance-premarket-cybersecurity.html
Clinical and Patient Decision Support Software Many companies have been questioning whether their software application is really a medical device or not. The FDA issued a Report on Non-Device Software Functions: Impact to Health and Best Practices in December 2018. If there are questions concerning the software application, please contact us.
https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM628128.pdf
Making Benefit-Risk Determinations
The FDA issued on September 06, 2018 the draft guidance on Consideration of Uncertainty in Making Benefit-Risk Determinations in Medical Device Premarket Approvals, De Novo Classifications, and Humanitarian Device Exemptions.
https://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddevgen/documents/document/ucm619220.pdf
AGILE Practices in the Development of Medical Device Software
The AAMI has reaffirmed the AAMI TIR45:2012/(R)2018, Guidance on the use of AGILE practices in the development of medical device software. This technical report can be purchased from the AAMI.
Five AI Takeaways from RSNA
Here are the five takeaway points from the discussions of AI at RSNA taken from the Radiology Business website (https://www.radiologybusiness.com/topics/artificial-intelligence/5-keytakeaways-new-report-ai-machine-learning-radiology):
- The industry understands the importance of AI and machine learning.
- Even those who aren’t very familiar with machine learning are buying into the hype.
- You think machine learning is big today? Give it a year or two and it’ll be much bigger.
- The No. 1 use case for machine learning right now is breast imaging.
- Some organizations aren’t adopting machine learning right now—and they have their reasons.
The full report is available on Reaction Data’s website https://www.reactiondata.com/report/machine-learning-medical-imaging/.
FDA Unveils New Mobile App for Real-World Patient Data Collection
The FDA has launched a new mobile app for capturing real-world data from patients to inform and assist clinicians in making regulatory decisions. The FDA partnered with Kaiser Permanente on a pilot study to evaluate the functionality and engagement of its MyStudies app. Following the success of the trial, the agency has released the open source code and technical documents for customizing the app to meet individualized needs.
UL 5500 – Safety for Remote Software Updates
UL 5500 has been adopted as a US National Standard. It covers the remote updating of software via the manufacturer’s recommended process. It is limited to software elements having an influence on safety and on compliance with the particular end product safety standard. It is not specific for medical devices but applies to remote updating medical of medical device software having an influence on safety. This standard can be purchased at the UL website: https://standardscatalog.ul.com/standards/en/standard_5500
FDA Responses to 510K Submissions – Software
We are still receiving responses from the FDA concerning their software. This means that this is becoming the state of the practice for the FDA. These responses relate to the run-time testing, and cybersecurity. Below is shown the wording received from the FDA in all the cases:
The submission did not include information on the tools, such as static analysis tools, that you used to detect run-time errors. This information is needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device. Please provide this information. For any such tool used, please identify what error types the tool detects, your method and process of applying the tool(s), and a summary report and/or conclusion about the results.
Note: some common run-time errors are:
- Un-initialized variables
- Type mismatches
- Memory leaks
- Buffer over/under flow
- Dead and unreachable code
- Memory/heap corruption
- Unexpected termination
- Non-terminating loops
- Dangerous Functions Cast
- Illegal manipulation of pointers
- Division by zero
- Race conditions
The information security and cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.
- Please discuss in detail, information on your design considerations, including mitigations pertaining to intentional and unintentional cybersecurity risks including:
- A specific list of all cybersecurity risks that were considered in your design.
- A specific list and justification for all cybersecurity controls that you established, and the justification as to why such controls are adequate. Please provide the evidence that the controls perform as intended.
- Please ensure that you address information confidentiality, integrity and availability.
- Please incorporate, as appropriate, the information identified here in your Hazard Analysis.
We are highly recommending to clients several remediations:
- SSC Class B/Moderate LOC – software require tools to test the software for run-time errors. We are recommending using static code analysis tools.
There are low end tools that should be used, e.g., Source Code Analysis package for medical device companies from Parasoft (C/C++, C#/VB.NET, Java), Microsoft Visual Studio 2013 Static Code Analysis (C/C++), IAR C-STAT static analysis (C/C++), etc. - SSC Class C/Major LOC/Special Guidance/PMA – FDA will ask for a SCA report. We highly recommend using one of the tools that we know the FDA
has evaluated. A partial list of these tools is Parasoft, Coverity, Polyspace, PQRA, Klocwork, Grammatech and LDRA. - A cybersecurity report should be prepared for submission to the FDA based upon the threat analysis.
When choosing a SCA tools, check the local support. Even though everyone offers Internet support, nothing beats having the support done locally by someone who has the experience and speaks your language.
Summary
There are many ways to screw up your software in the medical device. It doesn’t take too much talent to do this and companies are doing it daily. Many companies mess up royally and don’t know how to get out of the mess. In many cases, they don’t even know that they are in deep trouble.
You can work properly without breaking the bank. There are many ways to handle the software development/maintenance life cycle and the software validation.
If there are any questions or requests, please feel free to contact us.
Mike