Software in Medical Devices – Update for Q1/Q2 2024 The past year, as in previous…
Software in Medical Devices – Update for Q3/Q4 2021
Software in Medical Devices – Update for Q3/Q4 2021
The past year has been exceedingly difficult for all of us, from many distinct aspects. Not much has been happening in releasing new standards and the MDR has finally happened.
This is a continuation of the software updates I have been sending out. Please check out all the references to download and/or to purchase. If you have any questions, please contact us.
Software is everywhere in medical devices and IVDs. The FDA and CE are becoming more pedantic on how they review and relate to software. The number of companies getting into the field is growing and the amount of software being developed for medical is exceptionally large.
The is an emphasis on “digital health” where the FDA is fast-tracking many devices (even though it is only software, it is still a medical device). Just because it is software only, this doesn’t mean that you are free from all the regulations, including a quality management system, risk analysis, etc.
Software Recalls Q3-Q4 /2021
We have been following the recalls and there were a growing number of recalls that are listed where software played a role in the recall. It is interesting to note that software is the leading cause of recalls in the FDA for the past 5 years. This trend does not look like it will change.
The following are additional examples of recalls involving software directly as listed on the FDA website. There were less recalls in this period relating to software than last year, but there were a number of class 1 recalls. There may be more but classified not under software. The descriptions given for the recall are taken from the FDA database. For further details on the recalls, you can check them out on the FDA’s recall database.
- Medtronic Navigation, Stealthstation System, Class I – Cranial biopsy procedure software can enter a state where the biopsy depth gauge is no longer synchronized with the rest of the navigational information on the screen and may display an incorrect position of the biopsy needle, which may result in prolonged procedure, the need for additional surgical procedure, tissue injury.
- Baxter Healthcare, Dose IQ Safety Software used with Spectrum IQ Infusion Pump, Class I – Software issue: The defect creates a mismatch between linked drug identifiers (IDs) in the Dose IQ user interface (UI) and the binary drug library (BDL) loaded onto the Spectrum IQ pump.
- MEDTECH, ROSA One 3.1 Brain application, Class I – The firm has become aware of a software anomaly affecting ROSA One 3.1 Brain application which led to the inaccurate placement of an electrode during surgery. The firm has received 3 global complaints related to the issue. An incorrect trajectory could result in serious injury or death if undetected during surgery.
- AB SCIEX, Cliquid MD version 3.4, Class II – The values of the Internal Standard (IS) concentrations are incorrectly derived when the user builds a customized test, then set the IS column to hidden and left the column empty. This may lead to the user making incorrect conclusions using incorrect results.
- DePuy Orthopedics, TRUMATCH CT PIN GUIDE KIT R, Class II – A coding error associated with the Fast3D Segmentation software. During the scanning process the three images required of the hip, knee and ankle may not be aligned, causing the anatomic landmark locations to potentially result in limb malalignment.
- Soft Computer Consultants, SoftGenomics version 4.1.15.6, Class II – Software showing wrong results reported, PDF does not match HIS.
- Siemens Medical Solutions, ACUSON Juniper Diagnostic Ultrasound System, Class II – When an ultrasound system experiences this failure, cycling the power does not recover system functionality.
- Angiodynamics, NanoKnife Disposable Single Electrode, Class II – Programming issue affected RFID function of a single lot and did not allow the NanoKnife probes to be recognized by the NanoKnife generator.
- Simpleware, ScanIP software, Class II – A issue (bug) has been identified with the interface and image software which could result in anatomical orientation tags/labels being displayed incorrectly. This could result in operator misunderstanding and errors during resampling or re-alignment of image data.
- GE Healthcare, CARESCAPE PDM-Masimo SpO2, Class II – Masimo SpO2 Saturation Values can become frozen after an extended length of use without a power down.
- Intuitive Surgical, da Vinci SP Surgical systems, Class II – Issue was identified during internal engineering evaluation. Use of the system with the affected software version may experience either an inability to deliver energy or an inadvertent delivery of energy. Use may require surgeon to resolve an injury or need moderate intraoperative intervention. Also, use may potentially cause user frustration or a minor delay to troubleshoot.
- GE Healthcare, Centricity Universal Viewer, Class II – There is a potential to display incomplete patient imaging study.
- Siemens Healthcare Diagnostics, Dimension Vista 500, Class II – Incorrect Default Hemolysis, Icterus or Lipemia (HIL) Index for Five Dimension Vista Assays.
- Thoratec, Abbott HeartMate Touch Communication System, Class II – If LVAS communication system is trying to establish Bluetooth connection and another Bluetooth-enabled device is nearby and advertising for Bluetooth connection, the Bluetooth connectivity interference may cause the system App to close or fail to open. Once Bluetooth adaptor is connected, barring disconnection, all functionality is unaffected; the device will continue to operate as expected.
- Siemens Medical Solutions, Artis Q floor with software, Class II – If SID (source-to-image distance) lift movement is activated and x-ray shall be released simultaneously; x-ray is not possible and the message No x-ray, try again is displayed, may result in a short delay in procedure.
- Siemens Medical Solutions, SOMATOM Drive with software syngo.CT VB20, Class II – Software syngo.CT VB20 in the installed base, with or without syngo.CT software versions VB20_SP1, SP2, SP3, or SP4, may result in workflow interruptions resulting in the delay in diagnosis, the necessity for patient rescans, and/or the need for additional contrast media may occur.
- Medtronic, CareLink SmartSync Device Manager, Class II – The processing of collected episode data may fail due to a software error.
- Abbott Laboratories, ARCHITECT c4000, Class II – Twelve software-related issues affecting software version 9.41 and earlier were identified. The issues include bypassing error codes, incorrect calibration, loss of module communication leading to overfilling wash buffer containers, missing QC flags, signal spikes, abnormal optics reads, and incorrect sample aspiration. The issues may lead to inaccurate results with an unknown bias direction and magnitude for assays measuring cardiac, metabolic (including diabetes), toxicology, prenatal, therapeutic drug monitoring, infectious disease, oncology, hepatic, pancreatic, hematological, endocrinologic, inflammatory analytes.
- Roche Diagnostics Operations, Cobas u 601 urinalysis test system, Class II – A potential risk for false negative nitrite results exists when endogenous creatinine levels are 15,000 mg/L and above. No interference of Nitrite results was observed at creatinine levels up to 9,000 mg/L.
- Fujifilm Irvine Scientific, Vit Kit-Freeze, Class II – Due to a component in kit being labeled with the incorrect Expiration Date.
- Siemens Medical Solutions, Sensis/ Sensis Vibe systems with software, Class II – System operator manual states that the system should be rebooted once, every 7 days. In some cases, users are not following these instructions and the system is running for more than 7 days. Under rare circumstances, this may result in a partial freeze of the user interface which would no longer update the vital signs.
- Baxter Healthcare Corporation, Hemodialysis Delivery System, Class II – If the operator initiates therapy with a saved prescription profile and makes a change to the prescription after a disposable filter change using the Same Patient button, the system may suggest values from the original prescription profile, rather than the current prescription.
- Philips North America, Azurion Interventional Fluoroscopic X-Ray System, Class II – When the user presses or releases both the APC (accept) button and the Float Tabletop (panning) button at the same time, the geometry may stop reacting on movement requests (table lock-up) and X-ray imaging becomes unavailable.
- Siemens Medical Solutions, Artis zeego, Fluoroscopic X-Ray System, Class II – Software error, the software can produce an incorrect interpretation of the table rotation if the table has been rotated by more than 4degrees in either direction. This can cause the 3D image reconstruction to be shown rotated by up to 5 degrees relative to the patient and to be used inappropriately by the system and result in incorrect treatment of the patient.
- Medtronic Neuromodulation, Clinician Programmer Application (CPA), Class II – A software anomaly may occur with the clinician programmer application.
- FujiFilm Healthcare Americas Corporation, Arietta 850 Ultrasound, Class II – Diagnostic ultrasound system with the specified software version and used in conjunction with a Fujifilm (formally Hitachi) transducer does not display the measurement results correctly with two cardiology measurement functions: Mitral Regurgitation Flow (MR Flow) Measurement; Mitral Valve (MV) Measurement.
- Siemens Healthcare Diagnostics, Aptio Automation Interface Module to ADVIA Centaur XP/XPT, Class II – The Aptio Automation Firmware for the ADVIA Centaur XP/XPT Interface Module may lead, in some cases, to an incorrect association of test results to sample ID. Incorrect association of test results could impact clinical interpretations and clinical decisions.
- Siemens Healthcare Diagnostics, Advia Chemistry Urinary/Cerebrospinal Fluid Protein, Class II – The firm has confirmed the potential for ADVIA Chemistry Urinary/Cerebrospinal Fluid Protein reagent carryover impacting Enzymatic Hemoglobin A1c (A1c_E and A1c_EM) results. Falsely depressed Enzymatic Hemoglobin A1c results may affect consideration of intervention.
- Elekta, Oncentra Brachy, Class II – Under certain circumstances, there can be a difference between the planned and delivered dose of the two ovoid channels.
- Xstrahl, Concerto User Interface Software, Class II – If a saved treatment plan with 2 opposing beams is edited prior to approval, then Beam 2 is not updated with the changed parameters upon selecting save, resulting in error messages during the treatment and possible mistreatment.
- Canon Medical System, PET-CT SCANNER, Class II – A software problem has been identified which could result in the diagnostic imaging system not proceeding to the next actual scan even though automatic start of the next scan is specified. This could result in the diagnostic imaging system failing resulting in rescanning and reinjection of contrast medium.
- GE Healthcare, SIGNA Premier nuclear magnetic resonance imaging system, Class II – Under certain conditions, some slices may be missing which can lead to a gap of anatomy in the 3D Volume images.
- Philips Ultrasound, EPIQ CVxi Diagnostic Ultrasound Systems, Class II – Ultrasound system software issue can cause an EchoNavigator error notification, leading to an unresponsive system, necessitating system restart, which could lead to therapy/treatment delay and/or unnecessary therapy/treatment. Can occur during ultrasound-guided TEE with EchoNavigator, if secondary screen capture is enabled and user presses other system buttons before secondary capture completed.
- Draeger Medical, Evita V500 Ventilator, Class II – Software 2.51 and Lower with Installed CO2 Measurement Option, may result in Restart of the Ventilator, brief cessation of ventilation can occur and loss of PEEP for approx. 8 seconds.
- Inpeco, FlexLab, Class II – The Firmware (FW) of the Automation System Interface Module to ADVIA Centaur XP/XPT may lead to an incorrect association of test results to sample ID. Improper management of the sample may bring an incorrect patient result.
- BioMerieux, MYLA part of the VIRTUO System, Class II – Under certain conditions, there is a risk for a false negative result.
- Philips Ultrasound, Sparq Diagnostic Ultrasound System, Class II – Battery system data issue with the ultrasound system can intermittently cause a system shutdown, regardless of actual battery state or application of alternating current power.
- Welch Allyn, ELI, Burdick and McKesson brand 280 Resting Electrocardiographs, Class II – The devices malfunction under specific operator workflows.
- Datascope, Cardiosave Rescue Intra-Aortic Balloon Pump, Class II – The Cardiosave IABP may unexpectedly shut down when the device is running on AC power, only one battery is installed in the IABP, and the battery is physically removed while the battery is being charged. This occurs during a very specific set of conditions.
- Elekta, MOSAIQ Oncology Information System, Class II – A drug strength in MOSAIQ can be changed during the ordering process and approved, but the saved drug strength reverts to the original value.
- Biodex Medical Systems, AtomLab 500Plus Dose Calibrator Software, Class II – When deleting a previously entered custom isotope, the software deletes the isotope, but not the associated dial setting. Possible other stored custom isotopes may then have incorrect dial settings and may lead to an incorrect dose measurement and/or misadministration.
- WOM World of Medicine, Covidien HysteroLux Fluid Management System Control Unit, Class II – When the display of inflow volume to the uterus reaches 32450 ml, the fluid management system control unit display will freeze because the internal software calculation threshold is reached. The outflow measurement will continue, and so the deficit accumulated up to this point will start counting backwards to 0 ml. There is a risk of distention fluid reaching the soft tissue circulatory system.
- Elekta, Monaco, Class II – Contour changes can be saved on an unintended image set. In addition, these contour edits do not cause the dose to be frozen on the plans associated with that image se.
- GE Healthcare, Centricity Universal Viewer, Class II – Image acquisition failures and synchronization failure with the Centricity Enterprise Archive.
- Siemens Medical Solutions, Computed tomography x-ray systems with software syngo.CT, Class II – Software versions may result in sporadic problems causing scanning workflow interruptions and unexpected user notifications. Sporadic software errors may also occur during interventional workflows, resulting in delay in diagnosis or scan aborts with the necessity for patient rescan may occur.
- Philips Ultrasound, EPIQ Diagnostic Ultrasound Systems, Class II – Due to a software defect that can intermittently cause the system to lock-up which exiting Review Mode while performing an exam.
- Abbott Laboratories, Alinity ci-series System Control Module clinical chemistry and immunoassay analyzer, Class II – Due to potential performance issues with software version 3.2.3 and earlier. Performance issues are: 1) There is the potential for onboard reagents past their lot expiration date or onboard stability time to be incorrectly displayed on the Reagent Status screen with a status of “OK”. In this scenario, the expired reagent will remain in the carousel for sample processing. 2) Performing monthly maintenance procedure 5701 Clean ICT Drain Tip incorrectly may potentially cause issues such as damaged connector or leaking connection. 3) A sample exception with message code 150 “Unable to process test. Previous processing module error” is produced without notifying the operator of a reagent pipettor failure and may cause processing module to transition into the Pausing state. Tests initiated prior to the sample exception may continue to process without dispense of reagents, potentially leading to incorrect results. 4. Reagent short dispense: Alinity c needs a control measure to protect against the potential for short reagent dispense. Addition of a maximum depth limit for reagent cartridges on the Alinity c to prevent the potential for a short dispense is needed. 5. RSM indicators were blinking green incorrectly: The Reagent and Sample Manager (RSM) indicators will incorrectly blink green indicating that processing is completed and the rack or cartridge can be removed from the loading area when the rack or cartridge should not be accessed. 6. Erroneous ICT Calibration Curves: Erroneous ICT calibration curves might be generated for the Alinity c when there is a malfunction of ICT reference solution delivery, use of wrong/evaporated calibrator, defective ICT modules, etc.
- Roche Diagnostics Operations, cobas infinity central lab, Class II – Under specific circumstances created by the user, the cobas e flow test results could be replaced by an automatic result sent to the lab LIS. This automatic result could be released and interpreted by your Laboratory Information System (LIS) as a false positive or negative result. It should be noted that the “correct” result would still be available on the instrument.
- Siemens Medical Solutions, MR MAGNETOM Systems with RT Image Suite, Class II – Potential for data loss when using the contouring or patient marking workflow when editing a structure set after saving and reopening a study, resulting in an incomplete structure set sent to the treatment planning system (TPS).
- Angiodynamics, Solero Generator, Class II – Specific serial numbers of the Solero MTA Generator require servicing to upgrade the software to help reduce the incidence of Error 0001, which can occur during system start-up.
- Siemens Medical Solutions, Artis, Class II – Due to a software error, the IAS (Image Acquisition System) may sporadically fail during startup/ restart, and result in delay of clinical treatment.
- Zeltiq Aesthetics, CoolSculpting Elite System, Class II – An incorrect error messaging system that could potentially lead to: 1) Reporting a thermal event error causing a user to re-treating the affected anatomic area within 24 hours, 2) Not reporting a thermal event or any other error codes causing a user to continue treating without being aware that a thermal event has occurred.
- Beckman Coulter, Normand Remisol Advance Data Manager, Class II – There is a potential that the data management system may add additional cells to the patient request which could lead to erroneous patient result.
- Philips North America, IQon Spectral CT-Computed Tomography X-ray system, Class II – When setting patient weight unit preferences to pounds, SynchRight P3T (Personalized Patient Protocol) software will result in increased contrast volume, resulting in increased contrast volume recommended for the patient.
- Olympus Corporation of the Americas, Soltive Premium Super Pulsed Laser System, Class II – Thermal injury following dusting and fragmenting treatment of ureteral stones when user exceeded the 20W standard presets.
- Abbott Laboratories, Alinity S System, Class II – A design defect (hardware and software) allows liquid waste pressure to build up and potentially spray users/operators.
- Randox Laboratories, Randox RX Imola Analyser with ISE, Class II – An issue was identified where the software froze during processing of commands, which resulted in no results displayed.
- Caption Health, Caption AI Ultrasound Imaging System Application Software, Class II – The firm is aware of an issue with ultrasound software that results in unintended video frames being included. This could lead to an incorrect automated ejection fraction (AutoEF) and image quality score (IQS) estimates.
- Medtronic, Reveal, Class II – Reveal LINQ with TruRhythm ICMs, that undergo a partial electrical reset appear to be programmed “ON”, but are no longer able to detect and report Brady and Pause events to clinicians.
- GE Healthcare, SIGNA MR355, Class II – GE Healthcare has recently become aware of an issue on the affected products listed below where the “Patient Orientation” button may inadvertently be clicked when intending to click on the “Save RX” button. This changes the prescribed patient orientation on the system prior to running the initial 3-Plane Localizer Scan (See Figure 1 for reference to buttons.) Selecting and saving a patient orientation that does not match the patient’s actual position may result in incorrectly annotated and/or flipped images.
- Remote Diagnostic Technologies, Tempus Pro – Patient physiological monitor, Class II – The Tempus Pro (Trizeps 7 only) when used in combination with a specified laryngoscope device can cause two error types when subsequently unplugged.
- Haag-Streit, OCT-Camera 211 01 A1, Class II – Malfunction of the automatic laser beam shut-off, the OCT unit might not recognize whether the laser beam is safely switched off.
- Northgate Technologies, AUTOLITH TOUCH Bipolar Electrohydraulic Lithotripter, Class II – The languages for Russian, Romanian, Slovak, and Czech have the power settings for high and low switched in the device.
- Cypress Medical Products, McKesson Lap Sponge, Class II – Manufacturer issued a recall due to an EO indicator color. The indicator should change from red to blue signifying sterilization. However, on one case of product, the indicators did not change.
- Philips North America, Wireless Footswitch, Class II – Wireless foot switch connection issues causing interruption of Fluoroscopy and exposure.
- Ion Beam Applications, Proteus 235, Class II – Proton Therapy System (PTS) software can be started in the clinical environment (clinical user) while some processes are still running in the test environment (tcs user). Initiating the startup of the clinical processes in the environment is not prevented even if some processes of the test environment (tcs) are still running. It may lead to situations where the system is using test processes without notifying the clinical user. If the versions of the processes are different between both environments, this could have an impact on patient treatments.
- Siemens Medical Solutions, ARTISTE with syngo RT Therapist-linear accelerator systems, Class II – Potential safety issue under specific preconditions that may result in a user selecting the wrong site for treatment with the possibility to deliver dose to the wrong isocenter which could result in serious patient injury.
- GE Healthcare Service, MAC VU360 Electrocardiograph, Class II – Incorrect patient identification and/or patient demographic errors.
- Siemens Medical Solutions, PRIMUS HI #04504200 with Digital LINAC Systems Control Console, Class II – Potential safety issue with the dose monitoring system safety interlocks which could result in a 10-20% overdose of radiation therapy.
IEC 62304 Update
As mentioned last update, the IEC 62304 draft that was in the works has been rejected. The working group disbanded itself and there is a new working group being organized. This means that IEC 62304:2006 + Amd1:2015 will remain valid for some more years to come.
Content of Premarket Submissions for Device Software Functions
The FDA has released on 4/11/21 the draft guidance of the Content of Premarket Submissions for Device Software Functions distributed for comment purposes only. The guidance is due to replace the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices from May 2005.
This guidance is intended to cover:
- Firmware and other means for software-based control of medical devices
- Stand-alone software applications
- Software intended to be used on general-purpose computing platforms
- Dedicated hardware/software medical devices
- Accessories to medical devices when those accessories contain or are composed of software
The draft guidance applies to the following submissions of software (either as part of a device or as the device):
- Premarket Notification (510(k))
- De Novo Classification Request
- Premarket Approval Application (PMA)
- Investigational Device Exemption (IDE)
- Humanitarian Device Exemption (HDE)
- Biologics License Application (BLA).
The level of documentation is based on the device’s intended use. There are two levels of documentation:
- Basic Documentation
- Enhanced Documentation
According to the guidance, Enhanced Documentation should be provided for any premarket submission that includes device software functions, where any of the following factors apply:
- The device is a constituent part of a combination product.
- The device (a) is intended to test blood donations for transfusion-transmitted infections; or (b) is used to determine donor and recipient compatibility or (c) is a Blood Establishment Computer Software.
- The device is classified as class III.
- A failure or latent flaw of the device software function(s) could present a probable risk of death or serious injury, either to a patient, user of the device, or others in the environment of use. These risk(s) should be assessed prior to implementation of risk control measures.
Cybersecurity Alerts
The FDA announced on December 21, 2021, a cybersecurity alert for the Fresenius Kabi Agilia Connect Infusion System. The announcement referenced a Cybersecurity and Infrastructure Security Agency (CISA) publication of a vulnerability disclosure ICSMA-21-355-01 on the system. The risk evaluation is that successful exploitation of the vulnerabilities could allow an attacker to gain access to sensitive information, modify settings or parameters, or perform arbitrary actions as an authenticated user.
The Department of Homeland Security’s CISA has issued an advisory for the Worldwide Infrastructure Healthcare and Public Health sectors regarding Philips Vue PACS. The ICS Medical Advisory, ICSMA-21-187-01, discloses 15 vulnerabilities discovered in the Philips Clinical Collaboration Platform Portal, also known as Vue PACS. Four of these have been ranked as a 9.8 on the CVSS v3 base scale in severity.
Playbook for Threat Modeling Medical Devices
The FDA in November 2021 issued the “Playbook for Threat Modeling Medical Devices” that was developed to increase knowledge of threat modeling throughout the medical device ecosystem to further strengthen the cybersecurity and safety of medical devices.
Best Practices for Communicating Cybersecurity Vulnerabilities to Patients
The FDA/CDRH issued the Best Practices for Communicating Cybersecurity Vulnerabilities to Patients paper in October 2021 to provide helpful information to consider when communicating with patients and caregivers about cybersecurity vulnerabilities.
https://www.fda.gov/media/152608/download
Assessing the Credibility of Computational Modeling and Simulation in Medical Device Submissions
The FDA has released on 12/21 the draft guidance of the Assessing the Credibility of Computational Modeling and Simulation in Medical Device Submissions. The credibility is defined as trust in the predictive capability of a computational model, used to support medical device premarket submissions.
FDA’s Software Related Prioritized Medical Device Guidance Documents to Publish in FY 2022
A-List Final Guidance Topics:
- Clinical Decision Support Software
- Unique Device Identification: Policy Regarding Global Unique Device Identification Database Requirements for Certain Devices
- Electronic Submission Template for Premarket Notification (510(k)) Submissions
A-List Draft Guidance Topics:
- Computer Software Assurance for Production and Quality System Software
- Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
- Content of Premarket Submissions for Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD)
B-List Draft Guidance Topics:
- Patient Engagement in the Design and Conduct of Medical Device Clinical Investigations
If time permits, the FDA hopes to release the draft Risk Categorization for Software as a Medical Device: FDA Interpretation, Policy, and Considerations.
MDCG 2021-24 Guidance on classification of medical devices
The MDCG released in October 2021 the Guidance on classification of medical devices. Highlights of this guidance include that software is defined as an active device and software should be reviewed not only in the context of Rule 11.
Rule 11 – Software intended to provide information to inform decisions with diagnosis or therapeutic purposes or software intended to monitor physiological processes.
What was in the MDD/IVDD is not in the MDR/IVDR.
Medical imaging CEO receives guilty verdict for $250 million in false claims
It was reported on July 12, 2021, that a federal jury has issued a guilty verdict against the former CEO of several medical imaging companies for submitting more than $250 million in fraudulent claims and using bribes and kickbacks to recruit patients.
Who says you can’t make money in software? Please don’t try this.
Unique Device Identification System: Form and Content of the Unique Device Identifier (UDI)
The FDA issued on July 7, 2021, this document to aid labelers and FDA-accredited issuing agencies in complying with unique device identifier (UDI) labeling requirements.
Radiology specialists hit by Lawsuit
It was reported on July 16,2021, that radiology specialists at Northeast Radiology and its vendor Alliance HealthCare Services have been hit with a class-action lawsuit over a data breach spanning at least nine months and caused by vulnerabilities in its PACS system. The claim is based on a security flaw in the database that allowed unauthorized parties to access patient information, including names, Social Security numbers, dates of birth, addresses, x-rays, CT scans, MRIs, medical test results, diagnoses, and procedure descriptions.
Electronic Submission Template for Medical Device 510(k) Submissions
The FDA has issued in September 2021 the draft guidance for electronic submission template for medical device submissions.
Digital Health Technologies for Remote Data Acquisition in Clinical Investigations
The FDA/CDER released a draft guidance on Digital Health Technologies for Remote Data Acquisition in Clinical Investigations – Guidance for Industry, Investigators, and Other Stakeholders, December 2021.
New MDCG Standards
- MDCG 2021-24 – Guidance on classification of medical devices, October 2021
FDA Recognized Consensus Standards (since last update)
- IEC 62563-1 Edition 1.2 2021-07 Consolidated Version, Medical electrical equipment – Medical image display systems – Part 1: Evaluation methods
- ANSI/AAMI 2700-1:2019, Medical Devices and Medical Systems – Essential safety requirements for equipment comprising the patient-centric integrated clinical environment (ICE) – Part 1: General requirements and conceptual model
Document Management
Many companies are working with various document management systems. Some tools are better than others and some tools are just bad. We recommend companies looking into these tools to evaluate the tools by speaking to real users (not the ones who purchased the tool as they are committed regardless how good or bad the tool is). Make sure that you have support and the capability to customize the tool for your processes. Remember, these tools together with their customizations, must be validated. All updates require a re-validation (at least on the changes).
When and How to Use Sub-Contractors for Software Development
There are pluses and minuses in using sub-contractors to develop the software of a medical device. If the company is a start-up, it usually doesn’t have the resources to develop quality software. In this case, the decision to use a sub-contractor comes easy. It makes sense to use a good sub-contractor to develop the software. The question arises, what to allow the sub-contractor to do and how to control the work being done.
When discussing the project with the sub-contractor, he will swear that he knows what the regulatory bodies want, he knows the standards, he knows how to develop the code according to required guidelines, he knows how to write the documents, he knows how to validate the software, etc.
It’s very probable that the sub-contractor has worked on a number of projects that have cleared the FDA/CE. The clearance can be due to good software documentation produced or due to more luck than experience, as the reviewer did not review the documentation in depth.
Additionally, the sub-contractor will tell you he can write the software requirements and validate them. Would you let the cat watch the cream? As you know what is required, you should write the software requirements specifications. If the sub-contractor writes the software requirements, they will reflect what the software does and not what you require from the software.
Accordingly, you should also validate the software according to the requirements. You know what is expected and this way, you can make sure the software meets the formal requirements defined.
You should also have a SOW (Statement of Work) with the sub-contractor detailing the scope of work, documentation standards, participation in audits (internal, external) if required, implementation documentation (unit test summaries, integration test summaries, code review summaries, verification testing summaries, etc.) on your forms (not the sub-contractor’s forms), etc.
The sub-contractor should be trained according to your SDLC procedure (even if they tell you that they are certified). You do not want your external auditor (FDA/NB) deciding that they want to audit your sub-contractor.
Sub-contractors developing software (firmware, mobile, cloud, AI, etc.) who are looking to expand their portfolio and get deeper into medical devices are invited to contact me to find out what is required from them and how they can get their message to the companies looking for software development.
Software Safety Classes (IEC 62304) Versus Levels of Concern (FDA)
Both, IEC 62304, and the FDA (Content of Premarket Submissions for Software Contained in Medical Devices) distinguish three different categories of medical device software. The IEC 62304 uses the software safety classes (SSC) and the FDA guideline uses the Level of Concern (LOC). This causes much confusion.
The SSC is defined as follows in IEC 62304:2006 + A1:2015:
- The software system is software safety class A if:
- the software system cannot contribute to a hazardous situation; or
- the software system can contribute to a hazardous situation which does not result in unacceptable risk after consideration of risk control measures external to the software system.
- The software system is software safety class B if:
- the software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system and the resulting possible harm is non-serious injury.
- The software system is software safety class C if:
- the software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system and the resulting possible harm is death or serious injury.
The LOC is determined as follows in the FDA’s Content of Premarket Submissions for Software Contained in Medical Devices:
- Major: We believe the level of concern is Major if a failure or latent flaw could directly result in death or serious injury to the patient or operator. The level of concern is also Major if a failure or latent flaw could indirectly result in death or serious injury of the patient or operator through incorrect or delayed information or through the action of a care provider.
- Moderate: We believe the level of concern is Moderate if a failure or latent design flaw could directly result in minor injury to the patient or operator. The level of concern is also Moderate if a failure or latent flaw could indirectly result in minor injury to the patient or operator through incorrect or delayed information or through the action of a care provider.
- Minor: We believe the level of concern is Minor if failures or latent design flaws are unlikely to cause any injury to the patient or operator.
The SSC classes determine the software life-cycle development processes to be performed and documented. Class A has the least processes and documentation required and Class C has the most. The SSC is determined at the beginning in the project.
The LOC determines the document to be submitted as part of the submission (and not as part of the development process). The LOC must be determined before the submission. It has been known in numerous cases, that the FDA has determined the LOC is different than what the company determined (the FDA always wins).
There is a virtual connection between the SSC and the LOC, but they both relate to different aspects (processes and documentation vs. documentation to be submitted) and should be handled accordingly.
FDA Responses to 510K Submissions – Software
We are still receiving responses from the FDA concerning their software. This means that this is becoming the state of the practice for the FDA. These responses relate to the run-time testing, and cybersecurity. Below is shown the wording received from the FDA in most of the cases:
- The submission did not include information on the tools, such as static analysis tools, that you used to detect run-time errors. This information is needed to assess whether good coding practices have been implemented to prevent common coding errors which may adversely affect the safety of the device. Please provide this information. For any such tool used, please identify what error type that the tool detects, your method and process of applying the tool(s), and a summary report and/or conclusion about the results. Note: some common run-time errors are:
- Un-initialized variables
- Type mismatches
- Memory leaks
- Buffer over/under flow
- Dead and unreachable code
- Memory/heap corruption
- Unexpected termination
- Non-terminating loops
- Dangerous Functions Cast
- Illegal manipulation of pointers
- Division by zero
- Race conditions
- The information security and cybersecurity of the device is needed to evaluate the cybersecurity risks and the associated controls. The FDA has been asking for the cybersecurity even from devices that have no connectivity.
- Please discuss in detail, information on your design considerations, including mitigations pertaining to intentional and unintentional cybersecurity risks including:
- A specific list of all cybersecurity risks that were considered in your design.
- A specific list and justification for all cybersecurity controls that you established, and the justification as to why such controls are adequate. Please provide the evidence that the controls perform as intended.
- Please ensure that you address information confidentiality, integrity, and availability.
- Please incorporate, as appropriate, the information identified here in your Hazard Analysis.
- The FDA has been reading the software documentation, including the Risk Analysis, SRS, SDD, STD, STR, Traceability Report, OTS Report, Cybersecurity, etc. They have been raising issues as shown in the following:
- SRS: contradictions and not containing information necessary to understand the requirements for your device software; requirements related to programming language requirements or to the interfaces.
- SDD: high-level architecture and does not include the level of detail expected for software architecture; does not include information necessary to ensure that your software is safe and effective for the intended use of the device; missing information for all the third-party devices used by your system.
- Traceability Report: traceability documentation does not link between requirements to the hazards
- Testing: it doesn’t include a summary of the static analysis, examples of unit integration testing, and a summary of the results.
We are highly recommending to clients several remediations:
- SSC Class B/Moderate LOC – software require tools to test the software for run-time errors. We are recommending using static code analysis tools. There are low end tools that should be used, e.g., Source Code Analysis package for medical device companies from Parasoft (C/C++, Java, C#/VB.NET), Microsoft Visual Studio Static Code Analysis (C/C++), IAR C-STAT static analysis (C/C++), etc.
- SSC Class C/Major LOC/Special Guidance/PMA – FDA will ask for a SCA report. We highly recommend using one of the tools that we know the FDA has evaluated. A partial list of these tools is Parasoft, Coverity, Polyspace, PQRA, Klocwork, Grammatech and LDRA.
- A cybersecurity report should be prepared for submission to the FDA based upon the threat analysis.
- Using tools for cybersecurity testing, penetration testing, etc.
When choosing SCA and cybersecurity tools, check the local support. Even though everyone offers Internet support, nothing beats having the support done locally by someone who has the experience and speaks your language.
Summary
There are many ways to screw up your software in the medical device whether it is embedded in dedicated hardware (also known as SiMD – Software in a Medical Device) or stand-alone health software (also known as SaMD – Software as a Medical Device). It doesn’t take too much talent to do this (as we all know), and companies are doing it daily. Many companies mess up royally and don’t know how to get out of the mess. In many cases, they don’t even know that they are in deep trouble until the recall is issued.
You can work properly without breaking the bank. There are many ways to manage the software development/maintenance life cycle and the software validation.
If there are any questions or requests, please feel free to contact us.
Mike