Software in Medical Devices – Update for Q1/Q2 2024 The past year, as in previous…
Software in Medical Devices – Update for Q1/Q2 2023
Software in Medical Devices – Update for Q1/Q2 2023
The past year, as in previous years, life has not been that easy from many distinct aspects. We have finally seen the FDA moving forwards with new standards. The MDR is still happening but moving slowly as there is a major backup in getting to the notified body.
This is a continuation of the software updates I have been sending out. Please check out all the references to download and/or to purchase. If you have any questions, please contact us.
Software is everywhere in medical devices and IVDs. The FDA and CE are becoming more pedantic on how they review and relate to software. The number of companies getting into the field is growing and the amount of software being developed for medical is exceptionally large.
The is an emphasis on “digital health” where the FDA is fast-tracking many devices (even though it is only software, it is still a medical device). Just because it is software only, this doesn’t mean that you are free from all the regulations, including a quality management system, risk analysis, etc.
Software Recalls Q1-Q2/2023
We have been following the recalls and there are a growing number of recalls that are listed where software played a role in the recall. It is interesting to note that software is the leading cause of recalls in the FDA for the past 10 years. This trend does not look like it will change.
The following are additional examples of recalls involving software directly as listed on the FDA website, including Israeli developed software. There may be more but classified not under software. There are a number of class I recalls after patients were severely injured and even died. The descriptions given for the recall are taken from the FDA database. For further details on the recalls, you can check them out on the FDA’s recall database.
Please note that the content for each recall is taken from the FDA database and is not our content.
- Getinge Usa Sales, Getinge Flow-c Anesthesia System, Class I – Due to a software bug, under certain conditions, pressure cannot be built up resulting in no ventilation. If gas delivery is stopped, a sustained decrease in delivered O2 concentration may lead to hypoventilation and hypoxia.
- Medtronic Navigation, StealthStation Cranial Software, Class I – In nonaxial/some axial exams if surgical plan utilized, Target Guidance selected, tip projection utilized, Navigate Projection enabled, software anomaly may occur during tumor resection/shunt placement/deep brain stimulation, where distance to/past target text no longer synchronized with navigation information, inaccurate value displayed; may result in prolonged/additional procedure, tissue injury.
- Datascope, Cardiosave Hybrid, Class I – An unexpected shutdown of the IABP may occur due to loss of communication between the Executive Processor PCBA and the Video Generator PCBA. This may result in an interruption to therapy which may threaten the hemodynamic stability of the supported patient as the user is left unaware to the status of the Cardiosave IABP.
- Cardiac Assist, LifeSPARC System, Class I – A software update (v1.1.5) has been developed to address the issue of Critical Failure which can occur on the LifeSPARC Controller. The Critical Failure was first addressed in the firm’s recall initiated July 21, 2022. During the Critical Failure, the software freezes or crashes and the screen does not display data.
- Philips Respironics, DreamStation Auto BiPAP and CPAP, Class I – A limited number of remediated Philips DreamStation units may experience communication issues when connecting to the cloud-based care management application. Should this be the case, this may affect the ability to download prescription settings to the device or the device may have incorrect prescription settings for the patient.
- Baxter Healthcare Corporation, NaviCare Patient Safety, Class II – Baxter identified a potential risk where the “safety” monitoring and “bed exit” monitoring features may enter a permanent state of alert suppression. In this state, a caregiver may not be alerted remotely when assigned patient protocols (bed exit, siderail position, brakes off, height of bed changes, head of bed angle, and/or turn reminders) are turned off.
- Draeger Medical Systems, Softbed Resuscitaire, Class II – The Resuscitaire Infant Radiant Warmer with the optional scale could display inaccurate weight values.
- SenTec, V-Sign Sensor 2, Class II – The sensors may experience an out-of-box failure because after recalibration, the sensors stayed in the software mode “production” and were not reset to “released” mode.
- Remote Diagnostic Technologies, V-Sign Sensor 2, Class II – Defibrillator/pacemaker module (DPM) may encounter a problem causing communication from the Mainboard to the DPM to fail, leading to no or ineffective pacing with displayed error message “HW failure DPM”.
- Diagnostica Stago, STA Compact Automated Multi-Parametric Analyzer, Class II – An internal investigation identified a bug in this firmware version, resulting in the following: Intermittent shortened coagulation times and an increased frequency of occurrence of a technical error reported by the analyzer (error 13).
- Jude Medical, CardioMEMS HF System PA Sensor and Delivery System, Class II – Select CardioMEMS PA Sensors (Model CM2000) operate outside of the intended frequency range at higher elevations when readings are taken over approximately 2,000 ft. (610 meters) above sea level; operation outside of the intended radiofrequency has the potential to result in inaccurate readings or sensor signal acquisition difficulties.
- SEDECAL SA, Phoenix mKDR Xpress, Class II – Sedecal was informed of 3 incidents of erratic movements related to X-ray mobile systems.
- Roche Molecular Systems, cobas SARS-CoV-2 & Influenza A/B Qualitative nucleic acid test for use on the cobas 5800/6800/8800 Systems, Class II – The firm received customer complaints regarding false negative Influenza A (Flu A) results and late Flu A Target Ct values. A false negative influenza A result may lead to additional testing, psychological distress, and delays to targeted therapy for influenza as well as true diagnosis.
- BioReference Health, 4Kscore Test, Class II – SPM software anomalies that may lead to the generation of erroneous 4Kscore Test results.
- CareFusion 303, BD Pyxis MedStation ES, Class II – Automated dispensing cabinet software is experiencing: 1) ES device download failure resulting in partial patient information loss that leads to 2) partial loss of patient transaction data, seen as a server upload processing error. Outdated/incorrect information display may contribute to the removal of medication to which the patient is allergic, incorrect dose amount, or discontinued medication.
- Withings, Scan Monitor/ScanWatch, Class II – A software bug eliminated the initial ECG activation and review of the ECG under a physician. However, the device is only cleared for use under the care of a physician.
- CareFusion 303, Alaris PC Unit 8015, Class II – Infusion pump PCs with specific software/network cards/IP addresses can have network/wireless connection failure. Could cause inability to receive new datasets and inability to transfer retrospective analytics data to connected systems. Users with interfaces to electronic medication record or admin discharge transfer, may be unable to receive/send data; infusions may need to be manually programmed.
- Merit Medical Systems, Flex-Neck Catheter External Repair Kit, Class II – Product that was built for design verification testing was inadvertently distributed to customers.
- Boston Scientific Corporation, LATITUDE NXT Remote Patient Management System, Class II – Under specific circumstances, the U.S. product registration system did not send up enablement requests to U.S. LATITUDE Customer Support during an 8-month interval in 2022. For these patients, the HeartLogic Index and any associated Yellow Alerts are currently not visible in LATITUDE as may have been intended by the healthcare provider.
- Medtronic MiniMed, Guardian iOS app, Class II – An app, part of a continuous glucose monitoring system, for use with smartphone devices may automatically log out from CareLink, then the app is not able to upload data. When logged out, linked care partners will not receive SMS notifications (could result in hypoglycemia or hyperglycemia), and sensor glucose values will also not be sent to the InPen app.
- Philips North America, EarlyVue VS30 Vitals monitor, Class II – EarlyVue VS30 Vital Signs Monitor and EarlyVue VS30 Vitals monitor Missing Calibration Alarm, a risk of an inaccurate CO2 measurement which may lead to a failure to recognize a change in patient condition.
- Philips Headquarters Cambridge, Incisive CT Plus, Class II – Whole-body computed tomography (CT) X-Ray System, Class II – Potential for Incorrect Image Orientation resulting images may be flipped or reversed result in misdiagnosis, incorrect treatment of a condition, or additional radiation exposure if a rescan is required.
- Technidata S.A., TDHisto/Cyto, Class II – In a specific use case, when printing labels for slides, some labels may display wrong information.
- Siemens Medical Solutions USA, ARTIS Pheno Systems, Class II – If, during the procedure, X-ray has been released and a reference image has been stored, the following issue may occur: If “Adjust C-arm to Ref” is activated when the C-Arm is positioned outside of the working range the C-Arm will reach the target position with an inaccuracy of 5-10 mm. As a result, the message Endposition reached will be displayed .Leading to unintended direction of the movement causing crushing of a patient, staff member, operator, or equipment Live images may not match the previously stored reference images. Overlay images may be shown inaccurate on anatomy (e.g., DSA Roadmap workflow does not match real anatomy). This may cause e.g., a vessel perforation in DSA roadmap.
- Draeger Medical Systems, Draeger Infinity M300 and M300+, Class II – The software on the Infinity CentralStation drops peaks on narrow waveforms causing the Infinity M300 to fail to meet Frequency and Impulse Response requirements. In this condition, ECG waveforms with unusually narrow and/or high frequency QRS may be displayed or printed with QRS amplitudes intermittently lower than actual.
- Hamilton Medical AG, HAMILTON-C6, Class II – Software error causes, safety ventilation, in which ventilation continues in the “safety ventilation” mode with audible/visible alarm – patient inputs are not monitored, if the following coincide 1) A mode change to an adaptive mode (ASV, APVcmv, APVsimv, INTELLiVENT-ASV, (S)CMV+, SIMV+), and 2) The controller and/or humidifier is connected to the ventilator and is operational.
- Philips Medical Systems Nederland, SmartPerfusion, Class II – There are technical issues related to signal generation and processing, which can lead to inaccurate presentations.
- Becton Dickinson, BD Kiestra InoqulA+ with BD Kiestra” InoqulA+”, Class II – Upon installation of BD Kiestra” InoqulA+” and BeA version 5.1 and 5.1.1 as part of the Icefall A platform, plate information was not visible in Synapsys” after processing has occurred. This could possibly lead to a delayed diagnosis and/or treatment or need for specimen recollection streaking plated media, and inoculating tubes and slides. In Semi-Automated (SA) mode, plates are automatically selected, barcoded, streaked in a pre-configured pattern while the user manually inoculates plates, tubes, and slides. An optional biosafety cabinet on the SA module provides personnel, product, and environmental protection. The InoqulA+” solution is indicated for use in the clinical laboratory.
- Radiometer Medical ApS, AQURE, Class II – Due to potential software issue that may result in patient mix-up information.
- Shanghai United Imaging Healthcare Co., WithingsPositron Emission Tomography (PET) and Computed Tomography (CT), Class II – Due to a software issue where the process of patient scanning, the scatter correction may occasionally fail with will potentially cause a failure of the PET image reconstruction and generation of PET images.
- Siemens Medical Solutions USA, ARTIS pheno systems, Class II – In the event of any unintended table movement, the system may not detect the incorrect direction, could lead to the injury of a patient, staff member, operator, or equipment.
- Brainlab AG, Brainlab ExacTrac Dynamic software, Class II – Deep Inspiration Breath Hold (DIBH) functionality may not work as specified when based on a standard-workflow Treatment Template.
- Sensus Healthcare Inc, SRT-100 Vision IPX 0, HFUS Module IPX 1, Class II – When the user pauses the beam delivery, the dose timer is reset (to zero), and as a result may deliver an unexpected dose to the patient.
- Elekta, Monaco RTP System, Class II – Re-optimization, after adding contours without forced density outside the external structure, may result in inaccurate dose presentation.
- Carestream Health, DRX-Compass/DR-FIT X-ray Systems, Class II – After pressing and releasing the Z-Axis Motorized buttons on the Tube Head Display, the Overhead Tube Crane (OTC) could potentially continue the movement unexpectedly to a certain distance which could potentially result in an injury.
- Biomerieux, MYLA comprises AST Filters in conjunction with VITEK MS, Class II – For users with MYLA V4.8.X / V4.9 that use VITEK MS to identify organisms as part of their workflow, AST filter rules that have been activated are not always being applied to AST results when sending the results to the clinician.
- Siemens Medical Solutions USA, Luminos dRF, Class II – Potential risk of collision with the ceiling, wall, or objects which may result in serious injury to staff or patients due to room configuration parameters of the system being set to default values.
- NuVasive, MD Pulse III Multimodality System, Class III – Due to an incorrect security key, customers were unable to connect to remote monitoring during spinal surgery, neck dissections, thoracic surgeries, and upper and lower extremity procedures.
- Siemens Medical Solutions USA, Fluoroscopic X-Ray System, Class II – In rare cases, the system may only boot into backup mode after an abrupt shutdown and not reach full operating mode. This may result in a situation where it is necessary to cancel clinical treatment or to continue treatment on an alternative system.
- Align Technology, Invisalign Express, Class II – 3D orthodontic planning software has a defect that leads to an issue where incorrect number of aligners may be produced (less or greater than the doctor requested) and incorrect packaging is provided.
- Agfa HealthCare, Enterprise Imaging XERO Viewer, Class II – There is a software defect that can cause issues with images.
- Roche Diagnostics Operations, cobas infinity central lab, Class II – A complaint investigation revealed that an incorrect behavior relating to the rejection of orders capability of the Host Connectivity Agent (HCA) could occur where the order received from the Laboratory Information System (LIS) is created with an Internal ID rather than the External ID sent from the LIS. The erroneous event occurs under rare circumstances where the date in the sample’s barcode does not match the order date sent from the LIS, and can lead to the order being mismatched to an another patient’s sample ID rather than the subject patient’s sample ID. The software bug impacts multiple cobas infinity central lab software (versions 2.5.x , 3.01.x, 3.02.x, and 3.03.x) and occurs when the afflicted software has been configured with specific pre-conditions.
- Siemens Medical Solutions USA, Programmable Diagnostic Computer, Class II – The firm will be performing a software update to address a software error which affects the listed products. This correction addresses four potential software issues: 1) “PASSWORD STORE CORRUPTED” error message during system boot; 2) Subsystem crash during examination; 3) Dialog Monitor Computer (DMC) application crash while loading a study; and 4) Software crash due to system internal timeout. Issue 1 may lead to a delay or interruption of procedure. Issues 2, 3, and 4 may result in delay in starting or continuing the examination, and may also prevent the operator from starting or continuing a study.
- SEDECAL, wDR 2.2 Mobile Digital Diagnostic X-Ray System, Class II – There is a software login in issue that may prevent the user from logging in.
- Philips North America, DigitalDiagnost C90, Class II – There is a software login in issue that may prevent the user from logging in.
- Appliedvr, RelieVR, Class II – There is the potential for the program software to malfunction which will not allow it to move forward to the next session.
- RaySearch America, Radiation therapy software, Class II – A software bug affecting results when using deep learning (DL) segmentation followed by geometrical functions: Create wall function, Expand Contract function or ROI algebra function, the results are incorrect. If dose statistics for an incorrectly created ROI are used to determine if a plan is acceptable for treatment, this could potentially lead to an inappropriate plan being approved. The error could lead to a more conservative or more liberal plan than intended.
- Illumina, MiSeq Dx Instrument, Class II – Cybersecurity vulnerability concerning the software used for sequencing instruments.
- Vyaire Medical, bellavista 1000 Ventilator, Class II – Vyaire Medical identified two patient safety risks during the use of the bellavista 1000 and bellavista 1000e: 1. Under certain conditions of use, the touchscreen may become unresponsive and the device application stops responding (APP Hang). When this occurs, if the user continues to interact with the touchscreen, a message will appear that states Device Software. Application is not responding or a decommission screen will appear on the user interface. The ventilator will issue both an audible and visual alarm. Ventilation continues without interruption with the settings applied prior to the APP Hang error. 2. The potential for a use error has been identified if the operator applies the proposed settings without confirming the settings are suitable for the patient.
- Datascope Corp., Cardiosave Hybrid Intra-Aortic Balloon Pumps, Class II – The digital IFUs provided with the Cardiosave IABP during the software update to version D.00 incorrectly annotated compliance to standard 60601-1-12:2014 within the updated IFU.
- Inpeco, PVT Interface Module, Class II – Firmware versions have the potential to mis-associate sample IDs leading to incorrect results or delayed sodium, potassium, and chloride patient results. Falsely increased or decreased electrolytes can lead to either inappropriate treatment of normal results, or failure to treat abnormal results resulting in abnormal levels. Abnormal potassium levels can result in weakness, polyuria, ileus, psychiatric disturbances, cardiac arrhythmias, respiratory depression, and death. Abnormal sodium levels can result in CNS disturbances and disturbances of water balance. Abnormal chloride levels can lead to acid base disturbances which can lead to respiratory and cardiac compromise. The event may occur only if all the following conditions occurs in few milliseconds timeframe: – The module is releasing a sample tube (Tube A) just placed into the carrier – Another sample tube (Tube B) is erroneously not diverted into the module buffer lane due to a malfunction of the divert gate Only in this specific scenario, the Tube A may be released by the module as Tube B due to a miscommunication between the module firmware and the Automation software without any error message. The Automation System loses the traceability of Tube A. It manages both Tube A (incorrectly identified as Tube B) and the real Tube B according to the test orders not performed yet on Tube B. Inpeco has released a Technical Service Bulletin with the procedure to correctly update the firmware. The firmware upgrade will be performed by Field Service Engineers. A CAPA (Corrective Action Preventive Action) has been opened to deeply investigate the root cause and identify possible process lack in order to avoid reoccurrences.
- Spacelabs Healthcare, Ultraview SL (UVSL) Command Module, Class II – Command modules will display the following when parameter processing is suspended, depending on software version: 1) Older versions will have waveforms present with no alarms, 2) Newer versions have waveforms absent with no alarms. This may cause clinicians to miss a potentially catastrophic event.
- Outset Medical, Outset Tablo, Class II – An observed trend of high conductivity dialysate alarms in a hemodialysis system as a result of introducing a software tool into the manufacturing process.
- Stryker, Triton Canister Software, Class II – Triton Canister Software, Insert & Scanning Label may cause the Triton Canister System to output inaccurate blood loss estimates can lead to confusion and could potentially result in either delayed recognition or prolongation of postpartum hemorrhage (PPH), or require more aggressive treatment for PPH.
Content of Premarket Submissions for Device Software Functions
The FDA has finally released the Content of Premarket Submissions for Device Software Functions guidance on 14/6/23. This guidance covers:
- Firmware and other means for software-based control of medical devices
- Stand-alone software applications
- Software intended to be operated on general-purpose computing platforms
- Dedicated hardware/software medical devices
- Accessories to medical devices when those accessories contain or are composed of software
The guidance applies to the following submissions of software (either as part of a device or as the device):
- Premarket Notification (510(k))
- De Novo Classification Request
- Premarket Approval Application (PMA)
- Investigational Device Exemption (IDE)
- Humanitarian Device Exemption (HDE)
- Biologics License Application (BLA)
The level of documentation is based on the device’s intended use and does away with the Level of Concern (LOC). There are two levels of documentation:
- Basic Documentation
- Enhanced Documentation
According to the guidance, Enhanced Documentation should be provided for any premarket submission that includes device software functions, where any of the following factors apply:
- The device is a constituent part of a combination product.
- The device (a) is intended to test blood donations for transfusion-transmitted infections; or (b) is used to determine donor and recipient compatibility or (c) is a Blood Establishment Computer Software.
- The device is classified as class III.
- A failure or latent flaw of the device software function(s) could present a probable risk of death or serious injury, either to a patient, user of the device, or others in the environment of use. These risk(s) should be assessed prior to implementation of risk control measures.
If the device does not meet the criteria for Enhanced Documentation, then it should be submitted as Basic Documentation.
https://www.fda.gov/media/153781/download?attachment
Framework for the Use of Digital Health Technologies in Drug and Biological Product Development
The FDA released on 23/3/23 the Framework for the Use of Digital Health Technologies in Drug and Biological Product Development. The Framework is part of the FDA’s ongoing effort to focus on modernizing its approach to digital health technology (DHT) derived data in clinical drug development. Note that this initiative is not directly related to the regulation of digital health medical devices, although DHTs used for deriving data for drug development may also constitute regulated medical devices.
https://www.fda.gov/media/166396/download
Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions
The FDA released on 3/4/23 the draft guidance covering how sponsors of devices may now include with their section 510(k) and premarket approval (PMA) submissions proposed change control plans pursuant to which the sponsor could make certain changes to the approved or cleared device without requiring a new marketing submission.
https://www.fda.gov/media/166704/download
Cybersecurity in Medical Devices: Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act
The FDA/CDRH released on 30/3/23 the Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act. The guidance is part of the 2023 Omnibus budget bill which amended the Federal Food, Drug and Cosmetic Act (FDCA) by adding section 524B, Ensuring Cybersecurity of Devices. The guidance outlines the recent statutory requirements relating to cybersecurity assurances that must be included in device submissions.
- Under section 524B, sponsors making a submission or application of devices that meet the definition of a “cyber device” must now undergo the following steps to ensure that the device meets cybersecurity requirements:
- Submit a plan to monitor, identify and address postmarket cybersecurity vulnerabilities and exploits including coordinated vulnerability disclosure and related procedures.
- Design, develop and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure, and make available postmarket updates and patches to address device vulnerabilities.
- Provide a software bill of materials (SBOM), including commercial, open-source and off-the-shelf software components.
- Comply with any other cybersecurity requirements the Secretary may mandate through regulation.
The guidance define a “cyber device” as one that includes: software validated, installed, or authorized by the sponsor as a device, or in a device that has the ability to connect to the internet and contains any technological characteristics that could be vulnerable to cybersecurity threats.
In order to provide a transition period, the FDA generally intends not to refuse to accept (RTA) premarket submissions for cyber devices that do not comply with section 524B until October 1, 2023.
https://www.fda.gov/media/166614/download
Artificial Intelligence Risk Management Framework (AI RMF 1.0)
On March 30, the NIST launched the Trustworthy and Responsible AI Resource Center, which will facilitate implementation of, and international alignment with, the AI RMF.
In collaboration with the private and public sectors, the NIST has issued a companion AI RMF playbook on 26/1/23 for voluntary use – which suggests ways to navigate and use the AI Risk Management Framework (AI RMF) to incorporate trustworthiness considerations in the design, development, deployment, and use of AI systems. It is intended as a voluntary guide for designing, developing, using and evaluating AI-related products and services with trustworthiness considerations in mind. Organizations can make use of this Framework to better prepare for the unique and often unpredictable risks associated with AI systems.
Framework for the Use of Digital Health Technologies in Drug and Biological Product Development, FDA March 2023
The FDA released in March 2023 the Framework for the Use of Digital Health Technologies in Drug and Biological Product Development. This document outlines the Framework that FDA will use to implement a multifaceted DHT program for drugs. The DHT program will include workshops and demonstration projects; engagement with stakeholders; establishment of internal processes to support the evaluation of DHTs for use in drug development; promotion of shared learning and consistency regarding DHT-based policy, procedure, and analytic tool development; and publication of guidance documents. This document is not a guidance document and does not propose or establish policies.
https://www.fda.gov/media/166396/download
Guidelines on the Applicability of Software as a Medical Device
Japan’s Ministry of Health, Labour and Welfare (MHLW) updates guidelines on the applicability of SaMD. The MHLW has revised parts of the Guidelines on the Applicability of Software as a Medical Device, provided in PSEHB/MDED Notification No. 0331-1 dated March 31, 2021 (also referred to as the “Applicability Notification”). The purpose of the update is to provide further clarification and elaboration on the determination of the eligibility of SaMD in Japan.
Notably, a new part 8 has been added to the guidelines to specify some points to note for software that does not fall under the category of medical devices and for raising awareness on the proper use of the software. For details, the revised guide is provided in PSEHB/MDED Notification No. 0331-1 dated March 31, 2023.
Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions
The FDA released on April 3, 2023, the draft guidance – Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions Framework for the Use of Digital Health. The FDA states that the guidance is intended to provide a forward-thinking approach to promote the development of safe and 24 effective medical devices that use ML models trained by ML algorithms.
https://www.fda.gov/media/166704/download
Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations Questions and Answers
The FDA released a draft guidance with Q&A on the use of electronic systems, electronic records, and electronic signatures in clinical investigation on 15 March 2023.
This document provides guidance to sponsors, clinical investigators, institutional review boards (IRBs), contract research organizations (CROs), and other interested parties on the use of electronic systems, electronic records, and electronic signatures in clinical investigations of medical products, foods, tobacco products, and new animal drugs. The guidance provides recommendations regarding the requirements, including the requirements under 21 CFR part 11, under which FDA considers electronic systems, electronic records, and electronic signatures to be trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
https://www.fda.gov/media/166215/download
AAMI TIR45:2023 Guidance on the use of AGILE practices in the development of medical device software
AAMI released An updated TIR45 on 154 March 2023. This technical report relates to Agile practices in developing software for medical devices. This report can be purchased from the AAMI.
AAMI TIR57:2016/(R)2023 Principles for medical device security—Risk management
AAMI reviewed and confirmed TIR57:2016 in 2023. This technical report provides guidance on methods to perform information security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. The TIR incorporates the expanded view of risk management from IEC 80001-1 by incorporating the same key properties of Safety, Effectiveness and Data & Systems Security with Annexes that provide process details and illustrative examples. This report can be purchased from the AAMI.
AAMI TIR97:2019/(R)2023 Principles for medical device security—Postmarket risk management for device manufacturers
AAMI reviewed and confirmed TIR97:2019 in 2023. This technical report provides guidance on methods to perform postmarket security risk management for a medical device in the context of the Safety Risk Management process required by ISO 14971. This report can be purchased from the AAMI.
ANSI/AAMI SW96:2023 Standard for medical device security—Security risk management for device manufacturers
AAMI released SW96:2023 this past year. This technical report provides guidance on methods to perform security risk management for a medical device in the context of the safety risk management process required by ISO 14971. This document is intended to be used in conjunction with AAMI TIR57 and AAMI TIR97. This report can be purchased from the AAMI.
Google Cloud, Mayo Clinic Strike Generative AI Partnership
Google Cloud and Mayo Clinic recently announced a partnership focused on generative AI — the health system will be deploying a new HIPAA-compliant Google Cloud service called Gen App Builder. The tool enables providers to create a search system for their data, equipped with conversational features powered by Google’s large language models.
Cybersecurity in Medical Devices
This is to remind you that the FDA released a draft guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions – Guidance for Industry, Investigators, and Other Stakeholders on April 8, 2022 and has not yet finalized this guidance. As the FDA released the Refuse to Accept Policy for Cyber Devices and Related Systems Under Section 524B of the FD&C Act and said that they will start enforcement on 1/10/23, we are under the opinion that the FDA will release the final guidance for cybersecurity before 1/10/23. Whether the FDA will postpone the enforcement or not is not known. All companies planning submissions from mid-September onwards should take this into account and hope for the best and plan for the worst.
As it is not known what guidance will be released, we are assuming that the draft guidance will be a close (if not exact) copy of the guidance to be released.
Lawsuit accuses Harvard Pilgrim of ‘negligently failing’ to protect members’ data following breach – June 15, 2023
Harvard Pilgrim Health Care and its parent company, Point32Health, have been hit with a class-action lawsuit for allegedly failing to secure the personal information of over 2.5 million people.
This is for all of the companies that do not think that protecting the patient’s personal information is serious business.
MDDS – FDA vs. MDR
There is a hot debate on some of the forums concerning MDDS – Medical Device Data System. This is defined by the FDA as hardware or software products intended to transfer, store, convert formats, and display medical device data. A MDDS does not modify the data or modify the display of the data, and it does not by itself control the functions or parameters of any other medical device. MDDS may or may not be intended for active patient monitoring.
Based on MDCG 2019-11 Guidance on Qualification and Classification of Software in Regulation (EU) 2017/745 – MDR and Regulation (EU) 2017/746 – IVDR, many of the devices defined as MDDS in the FDA would be considered medical devices according to the MDR.
This means that every system should be evaluated for both the FDA and CE, as not to find yourself relating to the device as a MDDS and finding out that you have to submit it to the MDR.
IEC 62304 Update
There is work in reconvening the committee but this is a slow process. We’ll keep you informed if anything happens.
Document Management
Many companies are working with various document management systems. Some are better than others and some are just bad. We recommend companies looking into these tools to evaluate the tools by speaking to real users (not the ones who purchased the tool as they are committed regardless how good or bad the tool is). Make sure that you have support and the capability to customize the tool for your processes. Remember, these tools together with their customizations, must be validated. All updates require a re-validation (at least on the changes).
Tools to Investigate
We are recommending the use of various tools in order to make the FDA/CE happy and, at the same time, improve the quality of the software. These tools include (but definitely not limited to):
- Defect management
- Code control
- Static code analysis
- Dynamic code analysis
- Unit and integration testing
- Continuous integration
- Penetration testing
- Functional safety
- SBOM
When choosing the tools, check the local support. Even though everyone offers Internet support, nothing beats having the support done locally by someone who has the experience and speaks your language. For further information concerning the tools, please feel free to contact us and we’ll refer you to the tool vendors with the tools you need.
Various tools to think about (they cost a little money but will save much more):
- Static Code Analysis – Parasoft, Coverity, Polyspace, SonarQube, Axivion, PQRA, Klocwork, Grammatech, LDRA, IAR C-STAT
- SBOM – Merge Base, FOSSA, SonaType, Insignary, Snyk
- Defect management – Jira, Asana, Azure DevOps
- Unit & integration testing – Cantata
- Safe embedded operating systems – Seggar RTOS
If you need more information on the tools and where to purchase them (with support), please contact us.
FDA Responses to 510K Submissions – Software & Cybersecurity
We are still receiving responses from the FDA concerning their software and cybersecurity. This means that this is becoming the state of the practice for the FDA. These responses relate to the run-time testing, and cybersecurity. Below is shown the wording received from the FDA in most of the cases:
- The submission did not include information on the tools, such as static analysis tools, that you used to detect run-time errors. This information is needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device. Please provide this information. For any such tool used, please identify what error types the tool detects, your method and process of applying the tool(s), and a summary report and/or conclusion about the results. Note: some common run-time errors are:
- Un-initialized variables
- Type mismatches
- Memory leaks
- Buffer over/under flow
- Dead and unreachable code
- Memory/heap corruption
- Unexpected termination
- Non-terminating loops
- Dangerous Functions Cast
- Illegal manipulation of pointers
- Division by zero
- Race conditions
- The information security and cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.
- Cybersecurity methodology – threat modeling / threat analysis using various guidances, including: NIST Cybersecurity Framework, ANSI/UL 2900, ANSI/ISA 62443-4-1, AAMI TIR57, IEC TR 80001-2, etc.
- Please discuss in detail information on your design considerations, including mitigations pertaining to intentional and unintentional cybersecurity risks.
- A specific list of all cybersecurity risks that were considered in your design.
- A specific list and justification for all cybersecurity controls that you established, and the justification as to why such controls are adequate. Please provide the evidence that the controls perform as intended.
- Please ensure that you address information confidentiality, integrity, and availability.
- Please incorporate, as appropriate, the information identified here in your TPLC Security Risk Management.
Summary
There are many ways to screw up your software in the medical device whether it is embedded in dedicated hardware (also known as SiMD – Software in a Medical Device) or stand-alone health software (also known as SaMD – Software as a Medical Device). It doesn’t take too much talent to do this (as we all know) and companies are doing it daily. Many companies mess up royally and don’t know how to get out of the mess. In many cases, they don’t even know that they are in deep trouble until the recall is issued.
You can work properly without breaking the bank. There are many ways to handle the software development/maintenance life cycle and the software validation.
If there are any questions or requests, please feel free to contact us.
Mike