Skip to content

Software in Medical Devices – Update for Q1/Q2 2020

Software in Medical Devices – Update for Q1/Q2 2020

The past few months have been very difficult, from many aspects. Not much has been happening in releasing new standards and the MDR has been postponed for a year. I do not want to miss out on this update, so you will get what there is.

This is a continuation of the software updates I have been sending out.  Please check out all the references to download and/or to purchase. If you have any questions, please contact us.

Software is everywhere in medical devices and IVDs. The FDA and CE are becoming more pedantic on how they review and relate to software. The number of companies getting into the field is growing and the amount of software being developed for medical is very large.

The is an emphasis on “digital health” where the FDA is fast-tracking many devices (even though it is only software, it is still a medical device). Just because it is software only, this doesn’t mean that you are free from all the regulations, including a quality management system, risk analysis, etc.

There are rumors that the FDA will get rid of the differences in the documentation to submit for the Level Of Concern (LOC). If this happens, all submissions will probably be like a Major LOC of today, including the static code analysis report.

 

Software Recalls Q1-Q2 /2020

We have been following the recalls and there were a growing number of recalls that are listed where software played a role in the recall. It is interesting to note that software is the leading cause of recalls in the FDA for the past 5 years. This trend does not look like it will change.

The following are additional examples of recalls involving software directly as listed on the FDA website. There were about 200 recalls in this period relating to software, including numerous class 1 recalls. There may be more but classified not under software. The descriptions given for the recall are taken from the FDA database. For further details on the recalls, you can check them out on the FDA’s recall database.

  • CME America, BodyGuard Infusion Pump System, Class I – Infusion Pump Systems may have a delivery inaccuracy of up to 13%, which may result in 1) faster than expected drug delivery when infusing at a very low rate (0.1 mL/h), or 2) slower than expected drug delivery when infusing at high flow rates.
  • Philips Respironics,Trilogy EVO Ventilator, Class I – Software defect in the Trilogy EVO and Trilogy EVO Universal Ventilator, versions SW 1.00.05, SW 1.01.09.00, SW 1.01.10.00, and SW 1.01.11.00, causing inoperative and loss of all power alarms. This defect causes an incorrect or unexpected result failing requirements TSRS1298 and PRD439.
  • Medtronic Navigation, Nexframe Stereotactic System and StealthStation Cranial software, Class I – Entry point and lead placement inaccuracies during deep brain stimulation lead implantation procedures may occur when using a specific combination of the firm’s Steriotactic System and auto-registration feature with a specific imaging system (also known as a fiducial-less procedure). Minor patient movement may not be initially detected by the user or the software during the auto-registration scan process potentially resulting in inaccuracies and risks for the patient including: inaccurate lead placement, delay of surgery, aborted surgery, or additional intervention (including revision of the lead placement and subsequent imaging).
  • CareFusion, Alaris Syringe Module, Class I – 1)Error 255-XX-XXX results in inability to edit settings 2)Delay options programming may result in no KVO rate/therapy interruption 3)Software errors results in no low battery alarm/infusion stopping 4)Medium priority KVO/End of Infusion alarms may result in unrecognized infusion completion 5)Custom concentration data entry errors results in concentrations being lower/higher than medication orders.
  • ResMed, ResMed Stellar Non-invasive/invasive ventilators, Class I – Combination of software and a component failure may cause audible alarms not to operate properly, the alarm buzzer not work, for ventilators that have a failed electronic component and, that are stored without AC power connected for more than 36 hours leading to full depletion of the battery and, that powers on automatically when connected to AC power without pressing the power switch.
  • Shanghai United Imaging Healthcare Co., uCT 530 Computed Tomography X-Ray System, Class II – Two issues were identified with the computed tomography x-ray system including a service function which may cause false marking of a bad channel resulting in ring artifacts, and potential intermittent scout scanning interruption due to occasional angle signal drift.. If these problems occur, it may be necessary to rescan the patient resulting in an additional dose of radiation and the possible need for additional contrast medium.
  • FUJIFILM Medical Systems, Synapse PACS Software, Class II – Lateromedial (LM) and Lateromedial Oblique (LMO) Orientation Markers may be displayed incorrectly on the 3D TOMO slider bar. In addition, the slice location of the image and/or the slice direction could be incorrect as well, and result in misdiagnosis.
  • Siemens Healthcare Diagnostics, Atellica Data Manager, Class II – Unexpected interface driver behavior identified (QC) Results May Be Assigned to an Incorrect Control Lot Number, and lead to the reporting of erroneous patient results if the QC failed but appeared to be passing and the issue is not detected during QC review.
  • Siemens Healthcare Diagnostics, CentraLink Data Management System, Class II – Unexpected interface driver behavior identified (QC) Results May Be Assigned to an Incorrect Control Lot Number, and lead to the reporting of erroneous patient results if the QC failed but appeared to be passing and the issue is not detected during QC review.
  • Siemens Healthcare Diagnostics, RP500e Handheld Barcode Scanner, Class II – The scanner is not confirming the integrity of read barcode data using the check-digit when reading Code 39 barcodes.
  • CME America BodyGuard Infusion Pump System, Class II – Infusion Pump Systems may have a delivery inaccuracy of up to 13%, which may result in 1) faster than expected drug delivery when infusing at a very low rate (0.1 mL/h), or 2) slower than expected drug delivery when infusing at high flow rates.
  • Mevion Medical Systems, Proton Radiation Treatment System, Class II – Couch Correction moves sent after using a 3D CT scan are partially lost if the previous correction sent or recorded had some of the Couch Correction checkboxes turned off.
  • Abaxis, Piccolo Xpress chemistry analyzer, Class II – Incorrect reference ranges of analytes.
  • Raysearch Laboratories, RayStation 8A, Class II – Software error was identified in the Pencil Beam Scanning (PBS) and Line Scanning (LS) dose calculation algorithms that could result in a local underestimation of expected dose.
  • AGFA, Digital Radiography X- Ray system DR 800 with MUSICA Dynamic, Class II – Under specific conditions (Fluoroscopic exam, ABS=OFF, manual change of parameters) wrong calculation of the dose/minute for fluoroscopy exams can be possible.
  • Siemens Medical Solutions, ARTIS icono systems with Quantification Application SW, Class II – Using Quantification Application (QVA/QCA) on DSA images may lead to a failure in vessel detection or incorrect quantification of vessel detection and result in an incorrect diagnosis and inappropriate treatment of the patient.
  • Hill-Rom, Centrella Smart+ Bed, Class II – The Bed Exit System may fail to send a remote alert through the nurse call system if a remote alert was previously sent and cancelled at the in-room nurse call wall unit.
  • Intuitive Surgical, da Vinci SP surgical system, Class II – Intuitive has become aware that the da Vinci SP system may trigger a mechanical vibration of the instrument tips and endoscope due to a software anomaly. This issue has the potential to occur only under the following, extremely rare specific conditions: 1) the user is activating Adjust Mode, AND 2) the instrument Arm is near its vertical position limit, AND 3) the user is applying sustained force against the hand control haptic feedback.
  • Inpeco, Accelerator a3600 Automation System using the Aliquoter Module, Class II – In certain firmware versions, in case a Clot Detection error (error code E0E0 or 13E0) is generated during the sample aspiration the current error recovery procedure dispenses 2/3 of sample volume back into the Primary Tube. Evidence from the field showed that in case of Clot Detection error, this management may lead to the dilution of the Primary Tube with the distilled water of the hydraulic circuit of the Aliquoter Module.
  • Siemens Medical Solutions, ARTIS Pheno – Interventional Fluoroscopic X-Ray System, Class II – If the C-arm leaves its intended travel path due to a fault within the drivetrain, movements may be impacted or impossible and the area of interest cannot be reached. In the event the C-arms movements are not possible, the system can only be returned to normal operation with the support of a field service engineer.
  • Medtronic, Guardian Connect App CSS7200 iOS and Guardian Connect Transmitter GST4C used on the iPhone, iPad and iPod Touch, Class II – Customers using the firm’s continuous glucose monitoring system application on an iPhone, iPad or iPod Touch with iOS software version 12, 12.1, or 12,2 are likely to experience a shortened transmitter battery life (approximately 4-5 days instead of the normal 7 days or more) after a full charge.
  • The Binding Site Group, Optilite Clinical Chemistry Analyzer, Class II – A software issue that may affect the analyzer’s result accuracy.
  • Sunrise Medical, Quickie/Zippie powered wheelchair, Class II – Due to programming errors in the Controller, an increase in the set motor parameters can be made by the end user beyond tested safe limits.
  • Remel, SWIN 2017 database, Class II – Potential for out of range microbial results.
  • Elekta, MONACO RTP System, Class II – The Monaco RTP Radiation Treatment Planning System may change the shape and volume of the contour potentially resulting in the device delivering an inaccurate dose.
  • Philips, Azurion 7 M20 -XperGuide Software hosted in Interventional Workspot 1.5, Class II – When a user acquires XperCT scan on an Azurion 2.0 system, enters the XperGuide guidance step and moves the L-arm away from the initial scan position before starting the live guidance, a warning message directs the user to move the L-arm stand back to the initial XperCT scan position. Although the software generates this message, it does not prevent the use of live guidance if the L-arm stand is not repositioned. Using live guidance with a mispositioned L-arm can result in the display of an incorrect overlay and needle path.
  • Obalon Therapeutics, Balloon System with Model 4300 Touch Dispenser Touchscreen, Class II – During initial set-up and/or replacement of the dispenser batteries, the touch dispenser touchscreen can inadvertently lose calibration. This issue can also occur if the touchscreen is pressed when the device is powered on in preparation for a balloon administration. As a result, the touchscreen can become unresponsive and balloon inflation cannot be initiated.
  • ViewRay, Model No. 10000 and 20000 for radiation treatment, Class II – Registering dose and structures in the treatment delivery workflow could result in an alignment discrepancy between the imported previously delivered dose and the displayed patient anatomy and structures. The MRIdian TPDS software shows this misalignment to the user in the predicted dose-volume histogram (DVH). The misalignment impact may not be obvious to the user. During plan re-optimization the previously delivered dose would be incorrectly accounted for by the software. This may result in unexpectedly higher or lower dose than the intended dose calculated for the subsequent treatment plan. When this occurs in the treatment planning workflow, the registration fails to align the dose with the image and the user is unable to proceed.
  • Philips, TRx4841A 1.4 GHz IntelliVue Tele TRX, Class II – The ECG signal from patients being monitored using a Philips TRx4841A and TRx4851A Telemetry Transceiver may not be properly analyzed when it is used with a Philips Patient Information Center iX Release C.02.xx or C.03.01. If this occurs, the Information Center will not display a heart rate or generate, display or annunciate any heart rate or arrhythmia alarms.
  • Radiometer Medical, ABL90 FLEX PLUS Analyzer, Class II – The firm received reports of occurrences where the barcode reader misinterpreted the contents of a locally printed barcode label used for entering patient ID or accession number into the analyzer in connection with a sample measurement. This could result is patient mixup and/or loss of sample, resulting in delayed medical treatment.
  • Fresenius Medical Care Holdings, Fresenius 2008T Hemodialysis Machine, Class II – A “Remove USB Device 2” false alarm may be displayed when no USB device or a non-powered USB device is connected to the USB port on the rear of the machine.
  • Beckman Coulter, Power Express Sample Processing System AU5800XL connection unit, Class II – Potential exposure to biohazard. Software design problem causes excess speed and vibrations in the unload arm movement which causes caused sample splashing.
  • Shanghai United Imaging Healthcare Co., Positron Emission Tomograpy and Computed Tomography System, Class II – Potential sporadic software bugs in R001.3.0.0.750505 software version may cause an issue with the PET acquisition raw data causing reconstruction problems during PET/CT scanning and could possibly cause rescans of patients with additional dose.
  • Sysmex America, CF-70 instrument, Class II – Software mismatch-When the software versions between the SP-50 and CF-70 are not matched, and an error condition occurs requiring the operator to open the cover door of the CF-70 to remove slides or slide magazines from the CF-70, the operation of the CF-70 does not halt.
  • Canon Medical System, Aquilion Lightning, Class II – Scanning may be interrupted due to an error during execution of the eXam Plan and the system is unable to be shut down normally, resulting in the need to forcibly turn the system power off and reboot. Loss of the acquired raw data would occur.
  • Abbott Laboratories, TactiSys Quartz Equipment, Class II – In reported cases, the device log on the TactiSys Quartz Equipment operating on Software Version 1.7.0 fills the allocated disk space, which prevents the storage of new log data. This may lead to intermittent contact force data to be displayed during the procedure.
  • Radiometer Medical, ABL800 FLEX, Class II – Analyzer’s barcode reader misinterprets the contents of barcode label used for entering patient ID or accession number. The issue is related to barcode types not using a check digit. This could result in patient mixup or loss of sample resulting in delayed medical treatment.
  • Haemonetics TEG Manager, TEG Manager, Class II – Software defect in TEG Manager impacts the displayed alert for out of range test results. Due to this defect, reference range values received from TEG 5000 and displayed on the TEG Manager test result screen are rounded to the nearest whole number and lead to TEG Manager displaying an out of range alert when the test result is actually in range, or vice versa.
  • Elekta Impac Software, MOSAIQ, oncology information system, Class II – The user may inadvertently enter Metric values into Height and Weight fields labeled with US Standard Units.
  • Abbott, LN 3R70-01, Class II – Abbott has identified potential performance issues for the Alinity ci -series Software version 2.6.2 and earlier.
  • Intellijoint Surgical, Intellijoint Navigation System, Class II – During total knee arthroplasty (TKA), the software may incorrectly calculate femur resection depth.
  • Insulet, Omnipod DASH Personal Diabetes Manager, Class II – In certain scenarios, the Omnipod DASH PDM may suggest an inaccurate bolus amount based on a blood glucose value that is more than 10 minutes old when the user does not exit the bolus calculator as designed or when a system alarm interrupts a bolus calculation. If the user delivers the bolus, this may lead to hypoglycemia or hyperglycemia.
  • Medtronic, CareLink Encore 29901 Programmer, Class II – Medtronic Conexus Telemetry has been determined to contain two primary cyber vulnerabilities: improper access control and the cleartext transmission of sensitive information.
  • Siemens Medical Solutions, Artis zee Biplane/Ceiling/Floor, Class II – A software issue could potentially cause the stand and table movements to be blocked.
  • Braemar Manufacturing, DL950 Holter Monitor, Class II – This issue can prevent the recorder from operating normally. Braemar confirmed that beginning on January 1, 2020 if a AAA battery is inserted in the recorder and a user attempts to start it, the recorder will display Error: 602 and fail to function for a new patient study. There are no actions that a clinical user can take to clear this error. Even if this error code is displayed, existing ECG recordings stored on the device can still be downloaded via the standard Holter Application Software. Error 602 may be able to be cleared by technical or engineering staff at the customer site.
  • Vyaire Medical, bellavista 1000 ventilator, Class II – The G6 bellavista 1000 US ventilators may experience intermittent failures: Lack of acoustic high priority alarm, presence of a ‘no alarm’ condition, or presence of non-responsive touch screen.
  • Biomerieux, VIDAS 3, Compact immunoanalyzer, Class II – Following Customers complaints, investigations have been initiated on potentially false results obtained on VIDAS 3 with an expired calibration. Indeed, the calibrations of assays were valid in the calibration menu whereas in fact the calibrations were expired and no alarm displayed to warn the users about the expiration date of the calibrations. Software computes results of analysis for assays with expired calibrations. The anomaly is due to an incorrect update of the calibration status by the software.
  • Dexcom, Dexcom G6 CGM App for iOS, Class II – It was reported that the user’s low alarm feature on the iOS application were not properly alerting users when the user has enabled the Alert Schedule feature more than 30 days after installing the iOS application.
  • Philips Medical Systems, CombiDiagnost PCF, Class II – When using the Table Up/Down button, the system may experience Error 80, which locks the geometry in that specific state, requiring the intervention of a service Engineer. Additionally, the thermos switch, which handles power down of the unit in case of transformer overheating, was installed incorrectly at production.
  • Siemens Medical Solutions, Luminos Agile Max/ Ysio Max, Class II – A software bug may lead to one image to be assigned to two different patients, which could potentially affect medical diagnosis.
  • Blue Ortho, TKA Pro, Class II – The navigated values displayed when using the LPI instrumentation are incorrect due to software inconsistencies (wrong data loaded).
  • Tosoh Bioscience, AIA-360 Automated Immunoassay Analyzer, Class II – A display screen software issue on the analyzer causes the display to freeze when display screen is touched at the same time as a command from the instrument firmware, causing the instrument to stop. As a result, the run is aborted and the results are not retrievable.
  • MEDTECH, ROSA One 3.1 Brain Application, Class II – Some cross-sectional images from the image acquisitions of the patients head may not be reconstructed/displayed properly in two and three dimension views when using ROSA Brain software, potentially compromising the surgery planning.
  • Philips, VesselNavigator application used with Philips Azurion, Class II – Due to a software defect, when a digital subtraction angiography (DSA) is exported to the VesselNavigator application, the DSA is displayed without subtraction.
  • Clinical Diagnostic Solutions, Medonic M-Series Hematology Analyzer, Class II – A mix-up of autosampler tube positions with a possibility of misidentification of sample results and a risk of operator injury from an exposed aspiration needle.
  • Dexcom, Receiver, Class II – It has been reported that use of the mobile receiver with software version SW10617 rev 4.0.1.048 have reported: 1. the receiver becoming stuck on initialization screen when powering on. This will cause patients not to be able to receive glucose values or alerts; 2. Reinitialization of the receiver without user interaction. If this occurs, the receiver will either reboot and operate normally or require the user to press the Select button on the receiver in order to resume normal operation. In this situation, the user is provided an audio and vibratory alert every 5 minutes. Until the select button is pressed, patients will not receive glucose values or alerts.
  • Roche Diagnostics Operations, Cobas infinity central lab / Cobas infinity core license, Class II – Cobas infinity laboratory solution Version 2.4.1 through Version 2.5.4 Using a CommServer Driver – Incorrect Alarm Mapping.
  • GE Healthcare, IGNA Vibrant Nuclear Magnetic Resonance Imaging System, CISA Releases Emergency Directive and Activity Alert on Critical Microsoft It was identified that due to a potential installation workflow issue, the MR system date could be set incorrectly. The system s date and time setting are used to populate the DICOM header information on images. This could result is an inaccurate date recorded on the images.
  • Raysearch Laboratories, RayStation stand-alone software treatment planning system, Class II – Three issues found: i) The Map ROI options in the ROI list in the Structure Definition module may generate unintended ROI geometries ii) Elekta guard leaf behavior. There is an interoperability issue with Elekta regarding setting of guard leaves. iii)SSD, when intended as source-to-surface distance, it sometimes gives source-to-skin distance. To the best of our knowledge, these issues have not caused any patient mistreatment or other incidents. However, the user must be aware of the following information to avoid incorrect dose calculations during treatment planning.
  • Radiometer Medical, AQURE basic sytem, Class II – The firm has become aware that there is a potential problem relating to the blood gas and immunoassay analyzer Systems that may result in patient mix-up when connected to some third-party devices. The error may lead to serious adverse health consequences for the patient caused by patient data mix-up.
  • GE Healthcare, Centricity Universal Viewer 6.0, Class II – Centricity Universal Viewer measurements saved into a DICOM Grayscale Presentation State are incorrect in subsequent views for exams containing series with different pixel sizes and may lead to a potential misdiagnosis.
  • Immersivetouch, ImmersiveView software, Class III – Observed an internal repetitive software glitch in ImmersiveView.
  • ICU Medical, Cogent Hemodynamic Monitoring System, Class II – Firm identified software issues which leads to the patient ID and patient information not being stored in the system.
  • Merge Healthcare, Merge Application Server and Merge Healthcare Merge Cardio Workstation, Class II – An error in the calculation of the Michigan Reference Ranges can generate an inaccurate Z-Score calculation. The error may reduce the sensitivity of the Z-Score in detecting an abnormality resulting in a false negative.
  • Varian Medical Systems, Multileaf Collimator, Class II – After a recent upgrade to the collimator software version 8.5, the firm became aware that the multi-leaf collimator leaves did not move during an arc treatment. The issue is related to a transient carriage primary- secondary interlock due to carriage fault on the MLC that immediately preceded the initiation of the arc treatment. The issue will occur only with MLC software version 8.5 and only affects conformal arc treatments, including VMAT and RapidArc. There have been no reports of adverse health consequences due to this issue.
  • LivaNova, VNS Therapy Programmer, Class II – False positive warning may occur after: 1) VNS Generator interrogated at 0mA normal output current, 2) Generator programmed to non-0mA output current, 3) In-session re-interrogation performed. Users instructed to lower output current and widen pulse width. Only system diagnostic testing evaluates output current. Users may conclude device malfunction, could lead to medical/surgical intervention.
  • Siemens Medical Solutions, COHERENCE Oncologist, Class II – A potential safety issue arises when an offset calculation is followed by a filter operation; correcting the image alignment after this sequence will result in incorrect offset values which could lead to incorrect repositioning of the patient and dose to wrong location.
  • Mindray, DP-30 Digital Ultrasonic Diagnostic Imaging System, Class II – The DP-30 displays an incorrect needle-guide bracket when used with the 65EC10EA model transducer.
  • Spacelabs Healthcare, Xhibit Central, Class II – The firm received reports of loss of audio alarm after a power failure or cable disconnection. The loss of audio for a telemetry patient could delay the recognition of an alarm condition.
  • Beckman Coulter, LabPro Data Management System, Class II – A security-only update was released via remote diagnostics on January 14, 2020 to customers with Windows 7 operation system. Shortly after the releases some customers reported that Data Management System computers would not restart. If the computer is unable to restart, then the system cannot download data generated from MicroScan instruments or manually entered microbiology test results, resulting in a potential of delayed results.
  • Hill-Rom, NaviCare Patient Safety Software, Class II – There is a software issue which may result in failure to monitor or control patient’s bed exit mechanism.
  • Quidel Cardiovascular, Quidel Triage TOX Drug Screen Control, Class II – Due to an error in the programming of the Control CODE CHIP module for this lot, a failing result is inappropriately displayed for AMP and mAMP. This issue results in the Triage Meter displaying a failing control result for the AMP and mAMP tests when the control did not fail.
  • Ra Medical Systems, Pharos Excimer Laser, Class II – At doses of less than 100 mJ, in custom and auto repeat modes, a software error in the excimer laser phototherapy system causes the device to fail to cease firing as long as the foot pedal or handpiece switch is depressed. This malfunction can cause overtreatment, which could result in strong erythema, and possibly cause blisters.
  • Qiagen Sciences, Rotor Gene Q Software, Class II – When using the Rotor-Gene Q with Software version 2.3.4 completing a LIMs export, the .csv file reports the calculated concentration result value as a logarithmic value, and could lead to a false negative result, which could lead to serious medical consequences such as the suspension or non-initiation of treatment.
  • Flowonix Medical, Prometra II 40mL Pump, Class II – A pump alarm function anomaly in the pump firmware code may result in the pump not sending the expected error code notifications to the Programmer, or not emit an audible alarm tone in certain “out of tolerance” conditions associated with the pump’s valve system.
  • Preventice Services, BodyGuardian Heart Remote Monitoring Kit, Class II – The device data being collected and transferred to the monitoring center may not be accurate due to nonvalidated association between the phone software and the heart monitors, therefore, the patient’s report should not be used to evaluate their condition.
  • Inpeco, Abbott Accelerator a3600 Centrifuge Module/Siemens Aptio Automation Centrifuge Module, Class II – The FlexLab Centrifuge Module loading algorithm may lead to unbalanced loads which could damage the centrifuge.
  • Siemens Healthcare Diagnostics, Atellica IM Humidity Pack, Class II – A software error is causing the analyzer to incorrectly eject affected Humidity Packs as expired.
  • Advanced Bionics, SoundWave Professional Suite, Class II – The manufacturer received complaints that customers were attempting to install the fitting software using the supplied USB drive, an error message was received, and installation failed. The failed installation has not impact to the current version of the software, and users are able to continue programming devices with the current software version.
  • Beckman Coulter, iChemVELOCITY Urine Chemistry System, Class II – Customers have reported incidents where two sets of results report the same Specimen Identifier (Specimen ID) with different results, different Medical Record Number (MRN) and different patient identification (demographics).
  • Beckman Coulter, iQ200 Series Urine Microscopy Analyzer, Class II – An Urgent Medical Device Recall letter was sent during the week of 10/28/2019 to the affected customers via mail and e-mail. The notice stated the misidentification issue as follows: Customers have reported incidents where two sets of results report the same Specimen Identifier (Specimen ID) with different results, different Medical Record Number (MRN) and different patient identification (demographics).
  • Philips Healthcare Informatics, IntelliSpace PACS 4.4, Class II – Images may potentially become corrupt while using the system.
  • GE Healthcare, Giraffe Incubator with installed Servo Oxygen module, Class II – Potential for certain Giraffe Incubators and Giraffe OmniBeds to deliver a different environmental oxygen level than what is displayed by the device, if a certain optional component referred to as the Servo Oxygen Module is installed.
  • Siemens Medical Solutions, MAMMOMAT Revelation, Class II – If an examination is interrupted when the InSpect Projection View (PV) is active and the vacuum biopsy system is being used, the tube arm’s manual movement range is decreased from +/-15 deg. to +/- 6 deg. This limitation may lead to difficulties in removing the vacuum biopsy system.
  • Hocoma, Lokomat Pro, Class II – The motor controller may fail, which can potentially lead to an error in functionality of the Body Weights Support Rope, which means that the rope can go up or down in an uncontrolled way.
  • Baxter Healthcare, Flow Coupler Monitor, Class II – A firmware issue may cause the GEM1020M-2 Flow Coupler Monitor to intermittently shut down when a WiFi connection is not established.
  • Eizo Corporation, RadiForce GX560 monochrome LCD monitor, Class II – Under certain conditions, a marble pattern infrequently appears on the monitor.
  • Elekta, Unity Philips Marlin Software, Class II – In TSM (Treatment Session Manager) Motion Monitoring workflows, under certain conditions there can be a mismatch between the contour data overlay with respect to the motion monitoring images of the monitored structure.
  • Insulet, Omnipod DASH Insulin Management System, Class II – After the device has been in use for about 2 months, data processing in the PDM can be slowed such that the Bolus Calculator fails to accurately subtract the correct amout of IOB before suggesting a bolus amount.
  • Cuattro, CuattroDR System Software, Class II – There is a potential that an image from a previous patient study to show up in a later patient study. This may result in misdiagnosis of the correct patient.
  • Medtronic, MiniMed Paradigm 511 pump, Class II – The action is being initiated due to potential cybersecurity vulnerabilities related to a series of insulin pumps that are designed to communicate using a wireless radio frequency (RF). An unauthorized person could potentially connect wirelessly to a nearby insulin pump to change settings and control insulin delivery.
  • Philips North America, DigiTrak XT Holter Recorder, Class II – If an AAA battery is inserted in the recorder and a user attempts to start it, or if the recorder is inserted in the docking station, the recorder will display Error: 602 and fail to function for a new patient study.
  • Pacific Medical Group, Button-Style Ultrasound Transducer, Class II – Fetal/maternal monitor/monitoring systems serviced or remanufactured using non-OEM equivalent components that have not been appropriately verified or validated. Possible adverse clinical impact: inability to accurately detect and measure fetal heart rate, inability to accurately detect maternal peripheral oxygen saturation, inability to monitor uterine activity to follow contractions, inability to determine temperature, and maternal blood pressure, lack of electrocardiography tracing, patient/clinician burns, and delay in detecting maternal or fetal distress.

 

New Standards/Technical Reports

ISO TIR24971:2020, Medical devices—Guidance on the application of ISO 14971

This is the guidance on the application of ISO 14971:2019.

 

ANSI/CTA-2089.1-2020, Definitions/Characteristics Of Artificial Intelligence In Health Care

This standard defines terms related to artificial intelligence and associated technologies in health care including assistive intelligence, synthetic data, remote patient monitoring, and artificial intelligence enabled diagnostic system.

 

FDA Recognized Consensus Standards (since last update)

62366-1 Edition 1.1 2020-06, Medical devices – Part 1: Application of usability engineering to medical devices

 

Cybersecurity Vulnerabilities in GE Equipment

FDA on 23/1/20, informed health care providers, facilities and patients about potential cybersecurity vulnerabilities for certain GE Healthcare Clinical Information Central Stations and Telemetry Servers.

 

CISA Releases Emergency Directive and Activity Alert on Critical Microsoft Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. A remote attacker could exploit these vulnerabilities to decrypt, modify, or inject data on user connections.

Although Emergency Directive 20-02 applies only to certain Executive Branch departments and agencies, CISA strongly recommends state and local governments, the private sector, and others also patch these critical vulnerabilities as soon as possible.

https://cyber.dhs.gov/assets/report/ed-20-02.pdf

 

FDA’s Cybersecurity Guidance Update

According to sources, the FDA will not release a new guidance for cybersecurity in 2020. Additionally, when the new guidance (based on the draft version from 2018) is released (probably Q1/Q2 2021), it will be in draft form where there will a duration for accepting comments. Accordingly, the final guidance should be released early 2022.

 

When and How to Use Sub-contractors for Software Development

There are pluses and minuses in using sub-contractors to develop the software of a medical device. If the company is a start-up, it usually doesn’t have the resources to develop quality software. In this case, the decision to use a sub-contractor comes easy.  It makes sense to use a good sub-contractor to develop the software. The question arises, what to allow the sub-contractor to do and how to control the work being done.

When discussing the project with the sub-contractor, he will swear that he knows what the regulatory bodies want, he knows the standards, he knows how to develop the code according to required guidelines, he knows how to write the documents, he knows how to validate the software, etc.

It’s very probable that the sub-contractor has worked on a number of projects that have cleared the FDA/CE. The clearance can be due to good software documentation produced or due to more luck than experience, as the reviewer did not review the documentation in depth.

Additionally, the sub-contractor will tell you he can write the software requirements and validate them. Would you let the cat watch the cream? As you know what is required, you should write the software requirements specifications. If the sub-contractor writes the software requirements, they will reflect what the software actually does and not what you required.

Accordingly, you should also validate the software according to the requirements. You know what is expected and this way, you can make sure the software meets the formal requirements defined.

You should also have a SOW (Statement of Work) with the sub-contractor detailing the scope of work, documentation standards, participation in audits (internal, external) if required, implementation documentation (unit test summaries, integration test summaries, code review summaries, verification testing summaries, etc.) on your forms (not the sub-contractor’s forms), etc.

The sub-contractor should be trained according to your SDLC procedure (even if they tell you that they are certified). You do not want your external auditor (FDA/NB) deciding that they want to audit your sub-contractor.

 

Sub-contractors developing software (firmware, mobile, cloud, AI, etc.) who are looking to expand their portfolio and get deeper into medical devices are invited to contact me to find out what is required from them and how they can get their message to the companies looking for software development.

 

Software Safety Classes (IEC 62304) versus Levels of Concern (FDA)

Both, IEC 62304 and the FDA (Content of Premarket Submissions for Software Contained in Medical Devices) distinguish three different categories of medical device software. The IEC 62304 uses the software safety classes (SSC) and the FDA guideline uses the Level of Concern (LOC). This causes much confusion.

The SSC is defined as follows in IEC 62304:2006 + A1:2015:

  • The software system is software safety class A if:
    • the software system cannot contribute to a hazardous situation; or
    • the software system can contribute to a hazardous situation which does not result in unacceptable risk after consideration of risk control measures external to the software system.
  • The software system is software safety class B if:
    • the software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system and the resulting possible harm is non-serious injury.
  • The software system is software safety class C if:
    • the software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system and the resulting possible harm is death or serious injury.

The LOC is determined as follows in the FDA’s Content of Premarket Submissions for Software Contained in Medical Devices:

  • Major: We believe the level of concern is Major if a failure or latent flaw could directly result in death or serious injury to the patient or operator. The level of concern is also Major if a failure or latent flaw could indirectly result in death or serious injury of the patient or operator through incorrect or delayed information or through the action of a care provider.
  • Moderate: We believe the level of concern is Moderate if a failure or latent design flaw could directly result in minor injury to the patient or operator. The level of concern is also Moderate if a failure or latent flaw could indirectly result in minor injury to the patient or operator through incorrect or delayed information or through the action of a care provider.
  • Minor: We believe the level of concern is Minor if failures or latent design flaws are unlikely to cause any injury to the patient or operator.

The SSC classes determine the software life-cycle development processes to be performed and documented.  Class A has the least processes and documentation required and Class C has the most. The SSC is determined at the beginning in the project.

The LOC determines the document to be submitted as part of the submission (and not as part of the development process). The LOC must be determined before the submission. It has been known in numerous cases, that the FDA has determined the LOC is different than what the company determined (the FDA always wins).

There is a virtual connection between the SSC and the LOC, but they both relate to different aspects (processes and documentation vs. documentation to be submitted) and should be handled accordingly.

 

FDA Responses to 510K Submissions – Software

We are still receiving responses from the FDA concerning their software.  This means that this is becoming the state of the practice for the FDA. These responses relate to the run-time testing, and cybersecurity. Below is shown the wording received from the FDA in all the cases:

  1. The submission did not include information on the tools, such as static analysis tools, that you used to detect run-time errors. This information is needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device. Please provide this information. For any such tool used, please identify what error types the tool detects, your method and process of applying the tool(s), and a summary report and/or conclusion about the results. Note: some common run-time errors are:
    1. Un-initialized variables
    2. Type mismatches
    3. Memory leaks
    4. Buffer over/under flow
    5. Dead and unreachable code
    6. Memory/heap corruption
    7. Unexpected termination
    8. Non-terminating loops
    9. Dangerous Functions Cast
    10. Illegal manipulation of pointers
    11. Division by zero
    12. Race conditions
  2. The information security and cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.
    1. Please discuss in detail, information on your design considerations, including mitigations pertaining to intentional and unintentional cybersecurity risks including:
    2. A specific list of all cybersecurity risks that were considered in your design.
    3. A specific list and justification for all cybersecurity controls that you established, and the justification as to why such controls are adequate. Please provide the evidence that the controls perform as intended.
    4. Please ensure that you address information confidentiality, integrity and availability.
    5. Please incorporate, as appropriate, the information identified here in your Hazard Analysis.
  3. The FDA has been reading the software documentation, including the Risk Analysis, SRS, SDD, STD, STR, Traceability Report, OTS Report, Cybersecurity, etc. They have been raising issues as shown in the following:
    1. SRS: contradictions and not containing information necessary to understand the requirements for your device software; requirements related to programming language requirements or to the interfaces.
    2. SDD: high-level architecture and does not include the level of detail expected for software architecture; does not include information necessary to ensure that your software is safe and effective for the intended use of the device; missing information for all the third-party devices used by your system.
    3. Traceability Report: traceability documentation does not link between requirements to the hazards
    4. Testing: it doesn’t include a summary of the static analysis, examples of unit integration testing, and a summary of the results.

 

We are highly recommending to clients several remediations:

  • SSC Class B/Moderate LOC – software require tools to test the software for run-time errors. We are recommending using static code analysis tools. There are low end tools that should be used, e.g., Source Code Analysis package for medical device companies from Parasoft (C/C++, Java, C#/VB.NET), Microsoft Visual Studio Static Code Analysis (C/C++), IAR C-STAT static analysis (C/C++), etc.
  • SSC Class C/Major LOC/Special Guidance/PMA – FDA will ask for a SCA report. We highly recommend using one of the tools that we know the FDA has evaluated. A partial list of these tools is Parasoft, Coverity, Polyspace, PQRA, Klocwork, Grammatech and LDRA.
  • A cybersecurity report should be prepared for submission to the FDA based upon the threat analysis.
  • Using tools for cybersecurity testing, penetration testing, etc.

When choosing SCA and cybersecurity tools, check the local support.  Even though everyone offers Internet support, nothing beats having the support done locally by someone who has the experience and speaks your language.

 

Summary

There are many ways to screw up your software in the medical device whether it is embedded in dedicated hardware (also known as SiMD – Software in a Medical Device) or stand-alone health software (also known as SaMD – Software as a Medical Device).  It doesn’t take too much talent to do this (as we all know) and companies are doing it daily.  Many companies mess up royally and don’t know how to get out of the mess. In many cases, they don’t even know that they are in deep trouble until the recall is issued.

You can work properly without breaking the bank. There are many ways to handle the software development/maintenance life cycle and the software validation.

If there are any questions or requests, please feel free to contact us.

 

Mike

 

Download the Full Update
Back To Top
Search