Software in Medical Devices – Update for Q1/Q2 2024 The past year, as in previous…
Software in Medical Devices – Update January 31, 2016
Software in Medical Devices – Update January 31, 2016
This is a continuation of the software updates I have been sending out. Please check out all of the references to download and/or to purchase.
Software Recalls Q2, Q3 and Q4/2015
We have been following the recalls and there were a growing number of recalls that are listed where software played a role in the recall. The following are additional examples of recalls involving software directly. There were over 150 recalls in these quarters relating to software, including 5 class I recalls.
- Brainlab Cranial Image-Guided Surgery (IGS) System, Class I – Brainlab is recalling the Cranial IGS System due to potential inaccuracies in the display by the navigation system compared to the patient anatomy. This could lead to inaccurate, ineffective medical procedures, and serious life-threatening injuries including death.
- Insulet Corporation OmniPod, Class I – Insulet has identified two issues with these devices. The tube either fails to fully insert into the skin or completely retracts after insertion. This failure occurs without an alarm and the Pod will continue to pump insulin. The Pod will provide an audible alarm signal and display a failure. Once the alarm occurs, the Pod will not pump insulin. Both failures can result in inaccurate dosage of insulin which can lead to high blood sugar (hyperglycemia). If left untreated, hyperglycemia can cause life- threatening conditions or even death. The firm has received nine reports in which the device has malfunctioned, including five injuries and no reports of deaths.
- Alaris Syringe Pump, Model 8110, Class I – Channel Error code is displayed on the PC unit with an audio and visual alarm, and on the syringe module. After the error is cleared on the PCU, the syringe pump is unresponsive to key presses until the next power cycle, or the module is detached and reattached.
- Covidien, Puritan Bennett 980 Ventilators, Class I – Reports in which tidal volumes reaching patients were lower than set tidal volumes in neonatal Volume Control Plus (VC+) Mode with active humidification. This situation may potentially lead to respiratory compromise if not recognized.
- CareFusion Alaris Syringe Pump Alarm, Class I – An error in the syringe pump triggers a visual and audible alarm and causes the pump to stop supplying the infusion to the patient. Even when the user clears the error code 351.6740, the syringe pump does not respond to key presses until the product is detached and reattached to the PC unit used to program, monitor and provide power to the syringe pump. Failure of syringe module may result in a delay or interruption of therapy and can lead to serious patient injury or death. CareFusion has received 108 reports of the issue occurring. There have been no reports of permanent injury or death.
- Elekta Oncentra Radiation Therapy Planning, Class II – When using the option “Tumor Overlap Fraction” in VMAT planning it has been observed that in rare cases the system does include an organ at risk as target volume. This could result in open MLC, and open jaws in areas away from the target volume.
- Philips MR systems using 1i & R5.1 .2 SW, Class II – In spine clinical workflows, cross reference lines may be used to determine the position of slices. In cases, where MobiView fused Images are used to show the cross reference lines, the cross reference lines may be positioned incorrectly.
- Natus NicoletOne Software, Cl II – Natus Neurology has discovered that when using he NicoletOne v5.94 software, after exiting the impedance check function and returning to the EEG screen, the impedance check signal remains active in waveform, obscuring the EEG signals.
- Toshiba Aquilion CT System TSX-101A, Class II – it was found that if two specific operations are performed in multi-phase helical scanning, the acquired raw data may not be saved.
- GE Centricity PACS IW, Class II – Images may be missing when a system parameter MapRoute is set to a value greater than one.
- Monaco Radiation Treatment Planning System, Class II – Dose and MU are incorrect when CT images are viewed from the head, and, when using multiple prescriptions with forced densities.
- Siemens SOMATOM Definition AS, Class II – Software bug issues for SW- Version The following safety issues were resolved: 1) Correction to improve visual warning and error indication son the gantry display. 2) Correction to improve acquisition data in order to optimize image quality. 3) Correction to improve robustness and general system behavior in some exception handling procedures. 4) Correction to improve auto post processing coupled to Twin Beam examinations. 5) Correction to assure proper communication between system components. 6) Correction to improve robustness of ECG triggering.
- Toshiba Celesteion PCA-9000A/2 PET/CT, Class II – It was found that if specific operations are performed in multi-phase helical scanning, the acquired raw data may not be saved due to a software problem.
- Carto 3 EP Navigation System, Class II – Image disappeared from the cardiac ultrasound system when the CARTO 3 EP Navigation System needed restarting while the patient was experiencing pericardial effusion. Affects the CARTOSOUND Module of the CARTO 3 EP Navigation System when used with the SOUNDSTAR eco 8F and 10F Diagnostic Ultrasound Catheters. New precautions added.
- Soundstar Diagnostic Ultrasound Catheters, Class II – Image disappeared from the cardiac ultrasound system when the CARTO 3 EP Navigation System needed restarting while the patient was experiencing pericardial effusion. Affects the CARTOSOUND Module of the CARTO 3 EP Navigation System when used with the SOUNDSTAR eco 8F and 10F Diagnostic Ultrasound Catheters. New precautions added.
- Beckman Coulter MicroScan LabPro, Class II – Beckman Coulter is recalling the MicroScan LabPro Information Manager System because the software incorrectly allows the operator to manually edit the carbohydrate substrates when manually reading dried overnight gram negative panels with an ID Hold status.
- Siemens Linear Accelerator Systems, Class II – A software fix has been released to prevent automatic movement resulting in a collision safety risk for patients.
- Bayer Injector, Angiographic, Class II – Software Version SW 005.006_SH, has a potential situation involving the purge enforcement procedure. This recent software revision has resulted in the removal of purge enforcement from traditional New-Case, Power Up and Syringe Change use cases while the injector head is in the upright position. No injuries reported.
- Medtronic CryoConsole, Class II – Medtronic has identified an issue with a USB memory component contained within a subset of CryoConsoles. The issue can result in extended procedure time.
- Siemens ACUSON SC2000 Ultrasound, Class II – The ACUSON SC2000 ultrasound system considers uppercase/lowercase differences in the same patient name as unique patient instances when registered on the same ultrasound system. If these differences are not corrected at the time of registration, the system does not capture images or clips.
- CDI 500 Blood Parameter Monitoring System, Class II – Inaccuracies in SvO2, temperature, pH, pCO2, pO2, Hematocrit, and Potassium readings following a software upgrade to version 1.69.
- Lumenis Light Sheer Desire Diode Laser, Class II – Device software treatment preset parameters for the XC treatment handpieces do not match the Operator Manual, and exceed recommended settings. Operator Manual parameters are lower than indicated for specific hair color and Fitzpatrick skin type resulting in insufficient treatment effect. May result in patient burns and hypopigmentation.
Where these software recalls due to insufficient testing? Where they due to not following the SDLC Procedure? Your guess is as good as mine.
Warning Letters
- Merge Healthcare, Inc. – Inspections revealed that your firm’s devices are adulterated within the meaning of section 501 (h) of the Act, 21 U.S.C. § 351 (h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820. Failure to adequately establish procedures for design validation, as required by 21 CFR 820.30(g). Specifically, QS-57532 (Rev. 2.0, WI-Customer Validation Process) allows for devices that have not yet fully completed design validation, including software validation, to be shipped to end users for clinical use on patients in a Limited Availability basis for the purpose of collecting additional feedback prior to the completion of design validation activities. Further, the Merge HEMO V10.0 was shipped to (b)(4) end users for clinical use in cardiac catheterization procedure labs as part of the firms design validation plan as a Limited Availability release; these devices had not been fully validated. Additionally, document number HEMO-6830 (Rev. 1.0, Customer Validation Plan Merge Hemo 10.0) describes the customer validation process conducted at the two end user facilities during the Pre- Release/Limited Availability release timelines where it is indicated the software will be used in a production environment, i.e. for patient use. We have reviewed your response dated August 12, 2015. We acknowledge your commitment to updating your design validation procedure. However, your response is inadequate in that you have not provided an updated procedure for review, nor have you provided a timeframe for implementation of your new design validation process. It is also unclear whether other in-progress design projects may be affected by your elimination of the Limited Availability release, including whether any of your devices are currently being utilized by end users prior to completion of design validation.
- Unimark Remedies Ltd – Failure to prevent unauthorized access or changes to data and to provide adequate controls to prevent omission of data. Your laboratory systems lacked access controls to prevent raw data from being deleted or altered. For example: a. During the inspection, we noted that you had no unique usernames, passwords, or user access levels for analysts on multiple laboratory systems. All laboratory employees were granted full privileges to the computer systems. They could delete or alter chromatograms, methods, integration parameters, and data acquisition date and time stamps. You used data generated by these unprotected and uncontrolled systems to evaluate API quality. b. Multiple instruments had no audit trail functions to record data changes. We acknowledge your commitment to take corrective actions and preventive actions to ensure that your laboratory instruments and systems are fully compliant by January 15, 2015. In response to this letter, provide a copy of your system qualification to demonstrate that your electronic data systems prevent deletion and alteration of electronic data. Describe steps you will take (e.g., installing better systems or software) if your qualification efforts determine that the current system infrastructure does not assure adequate data integrity. Explain the archival process your firm has implemented to address these issues and how you will evaluate the effectiveness of these corrections. Provide a detailed summary of the steps taken to train your personnel on the proper use of computerized systems.Failure to maintain complete data derived from all testing, and to ensure compliance with established specifications and standards. Because you discarded necessary chromatographic information such as integration parameters and injection sequences from test records, you relied on incomplete records to evaluate the quality of your APIs and to determine whether your APIs conformed with established specifications and standards. For example: a. During the inspection, the investigator found no procedures for manual integration or review of electronic and printed analytical data for (b)(4) stability samples. Electronic integration parameters were not saved or recorded manually. When the next samples were analyzed, the previous parameters were overwritten during the subsequent analyses. b. We found that some analytical testing data was inadequately maintained and reviewed.
i. Your HPLC 14 computer files included raw data for undocumented (b)(4) stability samples analyzed on December 30, 2013, but no indication of where these samples came from and why they were tested.
ii. In a data file folder created on May 22, 2013, 23 chromatograms were identified as stability samples for (b)(4) lots (b)(4), and (b)(4). Results were not documented. More importantly, the acquisition date was July 7, 2013, more than six weeks after the samples were run. iii. (b)(4) lots (b)(4) and (b)(4) were not in your stability study records at the time of inspection. Additionally, there were no log notes of any samples from the three lots removed from the stability chamber. You responded that the probable reason for this inconsistency in data acquisition was due to some malfunction in the computer system at the time of data acquisition. Your response is inadequate because you have provided neither evidence to support this conclusion, nor a retrospective review of the effects your incomplete analytical data records may have had on your evaluation of API quality. In response to this letter, provide your revised procedures and describe steps you have taken to retrain employees to ensure retention of complete electronic raw data for all laboratory instrumentation and equipment. Also, provide a detailed description of the responsibilities of your quality control laboratory management, and quality assurance unit for performing analytical data review and assuring integrity (including reconcilability) of all data generated by your laboratory.
- Hoya Corporation (PENTAX Life Care Division) – Inspections revealed that your firm’s devices are adulterated within the meaning of section 501 (h) of the Act, 21S.C. § 351 (h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System (QS) regulation found at Title 21, Code of Federal Regulations (CFR), Part 820. Failure to establish and maintain procedures for implementing corrective and preventive action, as required by 21 CFR 820.100(a).
IEC 62304 Update
The update for the IEC 62304 (Software Development Life Cycle) has been released on 26 June 2015. This update (listed as IEC 62304:2006+AMD1:2015 and Edition 1.1) adds a flow for determining the Software Safety Classification, relates to validation of legacy software, and other miscellaneous clarifications and minor technical changes. Adoption as an EN is happening concurrently to the release of the standard, so harmonization by the EU should happen later this year or early next year.
Edition 2 of the standard is in early draft stage in the committee and is expected to be released not before 2016.
Additional changes have been made to legacy software, software requirements content (system security/malware protection requirements, requirements related to IT-network aspects, etc.), software system testing (verification & validation), legacy software, etc.
FDA Issues draft guidance on Interoperable Devices
The FDA have issued a draft guidance on 26/1/16 targeting how manufacturers of electronic interoperable devices design their products as well as what to include in premarket submissions. The guidance recommends that manufacturers take into account information, functional and architectural models during their products’ design and development phases. The guidance highlights five key areas:
- Purpose of electronic data interface
- Anticipated users
- Security and risk management
- Verification and validation
- Labeling
www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidanced ocuments/ucm482649.pdf
FDA Issues a safety communication to Healthcare facilities using the Hospira Symbiq Infusion System
The FDA has issued a safety communication to health care facilities using the Hospira Symbiq Infusion System regarding cybersecurity vulnerabilities. FDA is advising facilities to seek alternative infusion systems. In the interim, it is recommended the systems be disconnected from networks and maintain the drug libraries by updating manually along with other recommendations.
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm
Hospira issued two communications on their website: Reported Symbiq Cybersecurity Vulnerabilities and Infusion Device Cybersecurity.
http://www.hospira.com/en/about_hospira/newsroom/cybersecurity
http://www.hospira.com/en/about_hospira/newsroom/cybersecurity/cybersecurit y_vulnerabilities
IMDRF Guidances Released on SaMD
The Medical Device Regulators Forum (IMDRF) has issued the Software as a Medical Device (SaMD): Application of Quality Management System document. The objective of the document is to provide guidance on the application of existing standardized and generally accepted quality practices to Software as a Medical Device (SaMD). The document can be downloaded (as well as all other IMDRF documents from the IMDRF website.
http://www.imdrf.org/documents/documents.asp
Postmarket Management of Cybersecurity in Medical Devices
The FDA released on 22/1/16 the draft guidance for Postmarket Management of Cybersecurity in Medical Devices. This guidance contains many significant new expectations and provisions including use of concepts from a NIST report on cybersecurity and exemptions from reporting under 21 CFR 806 and 803 for companies that participate in cybersecurity information sharing through an Information Sharing Analysis Organization (ISAO).
Furthermore, the FDA recommends that manufacturers design cybersecurity risk management programs incorporating components of the NIST Framework for Improving Critical Infrastructure Cybersecurity, a broader US federal framework designed to address cybersecurity issues across critical infrastructures.
www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidanced ocuments/ucm482022.pdf
Cybersecurity Risk Management
The AAMI TIR57 on medical device cybersecurity risk management should be published this year. All interested in cybersecurity should look into this.
MDDS Not to be Enforced by FDA
On February 9, 2015, FDA issued a final guidance document “Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices,” in which the agency finalized a deregulatory policy for certain software devices. FDA’s new guidance document largely confirms the enforcement policies listed in the draft guidance document the FDA issued in July 2014.
The FDA states that it does not intend to enforce compliance with FDA regulatory controls, including registration and listing, premarket review, postmarket reporting, and quality system regulations (QSRs), for the following device types:
- Medical device data systems (MDDS) (as defined in 21 C.F.R. § 880.6310),
- Medical image storage devices (as defined in 21 C.F.R. § 892.2010), and
- Medical image communications devices (as defined in 21 C.F.R. § 892.2020).
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidanc e/GuidanceDocuments/UCM401996.pdf
ISO 13485:2016 – Medical devices. Quality management systems. Requirements for regulatory purposes
The draft standard is in the process of being published and is under the Final Draft International Standard (FDIS) stage. It should be published by Q1/16. The white paper that the Working Group WG1 of the Technical Committee TC210 is proposing that there be a three (3) year transition period.
The proposal from the white paper says:
This phase concerns the co-existence of the availability of accredited certification to ISO 13485:2003 and ISO 13485:2016. It is recommended to ISO TC 210 that this phase last for three years, during which time users will have to update their quality management systems to meet the requirements of ISO 13485:2016 to an accredited certificate. It is recommended that the users of ISO 13485:2003 work with their certification bodies or registrars to schedule an upgrade audit at a convenient time within the transition period.
It is recommended that:
Two years after the publication of ISO 13485:2016 all accredited certifications issued (new certifications or re-certifications) will be to ISO 13485:2016.
Three years after publication by ISO of ISO 13485:2016, any existing certification issued to ISO 13485:2003 will not be valid.
FDA Clarifies its eCopy Medical Device Submission Program
The FDA has released the eCopy Program for Medical Device Submissions Guidance on 3/12/15.
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Gu idanceDocuments/UCM313794.pdf
General FDA Guidances Released
The FDA has released the following guidances with the corresponding links.
Intent to Exempt Certain Unclassified, Class II, and Class I Reserved Medical Devices from Premarket Notification Requirements
http://www.fda.gov/ucm/groups/fdagov-public/@fdagov-meddev- gen/documents/document/ucm407292.pdf
Static Code Analysis
Static Code Analysis (SCA) is still a major issue and is being utilized by the FDA in more submissions than in the past. Please contact us for further details.
Even if your software will not be requested by the FDA (at this time) to submit a Static Code Analysis Report, we highly recommended using the static and dynamic tools that are available as this ensures higher quality software (see the recalls concerning software above). For those using the IAR Embedded Workbench, there is C-STAT Static Analysis and Code Analysis for runtime. For those developing software using Visual Studio from Microsoft, this IDE has code analysis tools built in.
Software V&V Process
There are many companies putting off the software V&V process. This is a mistake as you can’t add quality to your software. The quality has to be built into the software from the requirements through the design. These companies think that they are saving money but, it is costing them money in the mid to long term. We highly recommend that companies start on the software V&V process early in the development and not later on.
Support Software Validation
According to the FDA and CE, all software used as a component, part, or accessory of a medical device, used in the production of a device, and used in implementation of the device manufacturer’s quality system require validation. These software applications include ERP, CRM, QA, PLM, ALM, PDM, LIMS, HPLC, CAD and CAM applications as well as all software in production equipment. Also included are Excel spreadsheets that you use in your labs or under the quality system requirements.
You may ask if the scope of the validations are the same for all of the application types. The answer is that the scope of the validations may not be the same and there may even be major differences in their scopes of validation. This should be investigated.
If there are any questions or requests, please feel free to contact us.
Mike