medical device software
play

Medical Device Software Michelle Jump, MS, MSRS, CHA Principal - PowerPoint PPT Presentation

Mar 23, 2023 •456 likes •863 views

Navigating Regulatory Issues for Medical Device Software Michelle Jump, MS, MSRS, CHA Principal Regulatory Affairs Specialist Stryker Corporation IEEE Symposium on Software Reliability Engineering (Ottawa, ON) October 24, 2016 Does my device

  1. Navigating Regulatory Issues for Medical Device Software Michelle Jump, MS, MSRS, CHA Principal Regulatory Affairs Specialist Stryker Corporation IEEE Symposium on Software Reliability Engineering (Ottawa, ON) October 24, 2016

  2. Does my device Many Issues to Consider… connect to a network? Is it a mobile app Is my device or use a mobile made up solely app as an of software? accessory? What do Does my device regulators want handle protected health to see for information? security? 2

  3. How might it impact me? How should I What is prepare? changing? Changes to Classification Cybersecurity Software & MDDS 3

  4. Changes to Medical Device Software 4

  5. Software Modifications • What is changing? • FDA has released guidance clarifying when to submit 510(k)s for software modification • Previous FDA guidance (K-97) gave little specific guidance on software • Result: lots of extra 510(k) • When is a change to software considered “significantly affecting safety or effectiveness”? (21 CFR 807.81(a)(3)) http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM514737.pdf 5

  6. Software Modifications • Fundamentals • Uses Risk Based Analysis to determine whether a change is significant 1. Add or modify an existing hazard? 2. Add or modify and existing cause? 3. Add or modify and existing mitigation? • “Could significantly affect” evaluation and the role of testing • Focus on known risks and outcome of testing • Unintended consequences of changes • Need to think about this but decisions based on planned changes 6

  7. 7

  8. 8

  9. 9

  10. Software Modification • How might it impact me? • Clarify when to submit a 510(k) – expect significant reduction • More clear decisions on impact of software changes: based on standard risk management practices • Allow for better management of changes in field • Companion consideration: Distinguishing Medical Device Recalls from Enhancements (http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocume nts/ucm418469.pdf) 10

  11. MDDS • How should I prepare? • Plan software architecture: no “spaghetti code” • Be clear about functions of specific sections of code so risk of changes is clear • Good risk management foundation to clearly assess and document risks: ISO 14971 is your friend 11

  12. Classification and MDDS 12

  13. Regulatory Strategy 101 for Connected Devices • Historically: A Medical Device and its Accessories= a system • Everything is grouped, cleared, and assessed as a system • Connected Devices force a break in that mold • Lines must be drawn between the device and the network/other devices • Still must address the risks and functional needs of the connected environment • The Snowflake Challenge: If you’ve seen one hospital, then you’ve seen one hospital. Hospitals ≠ McDonalds • Identifying “representative use environments” is nearly impossible for many devices 13

  14. MDDS: A useful tool • Medical Device Data Systems (MDDS) are a unique product type Medical Device Data Systems (MDDS) are hardware or software products that transfer, store, convert formats, and display medical device data . DATA An MDDS does not modify the data or modify the display of the data , and it does not by itself control the functions or parameters of any other medical device . 14

  15. MDDS • What is changing? • MDDS are now under “enforcement discretion” so FDA does not actively regulate (previously Class 1) • No QS • No registration and listing • No audits • No adverse events • No recalls • No 510(k) http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm401996.pdf 15

  16. MDDS • How might it impact me? • They can serve as a separation point that defines the border of a medical device – not part of the medical device • MDDS can transfer command and control information as long as the it does not originate the command • MDDS can also serve multiple devices • Simplify 510(k) since not part of submission 16

  17. NO MDDS CLOUD MD #2 DATA Medical Device System MD #1 17

  18. NO MDDS CLOUD MD #2 DATA The “system” grows and things get complicated…. MD #1 18

  19. With MDDS CLOUD MD #2 MDDS – DATA no current FDA oversight Clearer MD #1 Boundaries 19

  20. MDDS • How should I prepare? • They also serve as defining lines as to the edge of the device. The device stops where the MDDS begins. You still need to show the FDA that the device can interact and serve its function but only as it relates to the function provided to the medical device • MDDS are under “enforcement discretion” meaning that FDA is not enforcing any regulations for these devices. 20

  21. Cybersecurity 21

  22. Cybersecurity • What is changing? • New Guidance from FDA on both premarket and postmarket • Increased focus from regulators, researchers, and users • No new regulations expected: Just a cost of doing business 22

  23. PREMARKET Cybersecurity • FDA Guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (LINK) • Fairly short and high level: 9 pages • Structured around NIST Framework: Identify, Protect, Detect, Respond, Recover • No 510(k)s for most cybersecurity patches • In the 510(k) • Hazard Analysis, mitigations, and design considerations • Link your controls to the risks • Provide PLAN FOR SOFTWARE UPDATES (new expectation – outside basic design, V&V, risk) • Summary of how you plan to keep malware out of your released software until transferred to customer • IFU: describe security controls for the use environment (anti-virus, firewall) 23

  24. POSTMARKET Cybersecurity • FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft (LINK) • More depth (25 pg) and includes additional premarket content • Multitude of references to 21 CFR Part 820: FDA considers cybersecurity management part of existing regulations • Important definitions: • Essential Clinical Performance: performance necessary to achieve freedom from unacceptable clinical risk • Compensating Controls: safeguard or countermeasure, external to device, used by user in lieu of sufficient controls designed in or to provide supplementary cyber protection; lends defense in depth • Cybersecurity Signal: any information which indicate potential for vulnerability or exploit in medical device 24

  25. POSTMARKET Cybersecurity • FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft con’t . Focus on vulnerabilities that may permit: unauthorized access, modification, misuse or denial of use, or unauthorized use of info that is stored, accessed, or transferred to an external recipient…..or may impact patient safety. Identifying New Vulnerabilities • Establish Coordinated Vulnerability Disclosure policy and process: hear from 3 rd parties • Joining NH-ISAC: National Health Information Sharing and Analysis Center: share with industry • Additional Benefit: Risk Management: both a premarket and postmarket consideration • Key consideration: when do you have to address a vulnerability? • Does it impacts Essential Clinical Performance? If so, is it controlled? • How severe is the impact to health? 25

  26. POSTMARKET Cybersecurity • FDA Guidance: Postmarket Management of Cybersecurity in Medical Devices - Draft con’t . *FDA will not enforce reporting requirement under 21 CFR part 806 (Corrections and Removals) if all of the following are met ( emphasis mine ): 1. There are no known serious adverse events or deaths associated with the vulnerability 2. Within 30 days of learning of vulnerability, manufacturer identifies and implements device changes/compensating controls to bring risk to acceptable 3. Manufacturer is a participating member of an ISAO, such as NH-ISAC 26

  27. Cybersecurity • How might it impact me? • May hear from customers or researchers who scan your device and find a vulnerability • FDA submissions under higher scrutiny • Ongoing monitoring needed for new vulnerabilities and breaches 27

  28. Cybersecurity • How should I prepare? • Start with the basics: • Follow existing recognized standards such as IEC 80001-2-2 • Prepare MDS2 forms: based on security capabilities in IEC 80001-2-2 • TIR 57: Principles for medical device security: Risk Management • Many other standards cover general security issues (ISO 27000) (http://www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx) 28

  29. Security Capabilities from IEC 80001-2-2 1. Automatic Logoff 2. Audit Controls 3. Authorization 4. Configuration of Security Features 5. Cybersecurity product upgrades 6. Health Data De-identification 7. Data Backup and Disaster recovers 8. Emergency Access 9. Health Data Integrity and Authenticity 10. Malware Detection/Protection 11. Node Authentication 12. Person Authentication 13. Physical Locks 14. Roadmap for 3 rd Party Components in Device Lifecycle 15. System and Application Hardening 16. Security Guidance 17. Health Data Storage Confidentiality 18. Transmission Confidentiality 19. Transmission Integrity 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Convergence of The Convergence of Software in the Medical Software in the Medical Device

The Convergence of The Convergence of Software in the Medical Software in the Medical Device

The Convergence of The Convergence of Software in the Medical Software in the Medical Device Industry Device Industry Joseph Azary 203-944-9320 Info@azarytech.com FDA Regulations & Quality Requirements Clinical Sterilization FDA

872 views • 68 slides
Proposed Reforms to the Regulation of Software, Including Software as a Medical Device -

Proposed Reforms to the Regulation of Software, Including Software as a Medical Device -

Proposed Reforms to the Regulation of Software, Including Software as a Medical Device - Consultation Results Dr Elizabeth McGrath Director, Emerging Technologies Medical Devices and Product Quality Division Health Products and Regulation

810 views • 47 slides
Update on software as a medical device (SaMD) The TGA and IMDRF perspectives Patrick L OMeley

Update on software as a medical device (SaMD) The TGA and IMDRF perspectives Patrick L OMeley

Update on software as a medical device (SaMD) The TGA and IMDRF perspectives Patrick L OMeley Biomedical and Software Engineer Device Vigilance and Monitoring Section, Medical Devices Branch Medical Devices and Product Quality Division, TGA

1.29k views • 21 slides
Regulation of software, including software as a medical device Dr Elizabeth McGrath Director,

Regulation of software, including software as a medical device Dr Elizabeth McGrath Director,

Regulation of software, including software as a medical device Dr Elizabeth McGrath Director, Emerging Technologies Dr Lee Walsh CPEng (Presenter) Technical Lead, Digital Health Medical Devices and Product Quality Division 7 March 2019

374 views • 36 slides
Software as a Medical Device (SaMD) Framework for Risk Categorization and Corresponding Controls

Software as a Medical Device (SaMD) Framework for Risk Categorization and Corresponding Controls

Software as a Medical Device (SaMD) Framework for Risk Categorization and Corresponding Controls IMDRF/WG/N12 Proposed Document (PD1)R5 Goals International convergence and common understanding of Software as a Medical Device (SaMD):

298 views • 11 slides
Regulation of software as medical devices When is software a medical device? Patrick L OMeley

Regulation of software as medical devices When is software a medical device? Patrick L OMeley

Regulation of software as medical devices When is software a medical device? Patrick L OMeley Devices Vigilance and Monitoring Post-market Surveillance Branch Monitoring and Compliance Division, TGA ARCS Scientific Congress 2015 7 May 2015

322 views • 16 slides
Software as a Medical Device (SaMD) Application of Quality Management System

Software as a Medical Device (SaMD) Application of Quality Management System

Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23FINAL:2015 Bakul Patel, USA FDA Chair SaMD Working Group NWIP Quality Management System for Software as Medical Device (SaMD) Scope

239 views • 12 slides
Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23

Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23

Software as a Medical Device (SaMD) Application of Quality Management System IMDRF/WG/N23 Proposed Document (PD1)R3 NWIP - Quality Management Systems for Software as a Medical Device (SaMD) Scope Translate and adapt existing quality

366 views • 13 slides
Software as a Medical Device (SaMD) Clinical Evaluation IMDRF/SaMD WG (WD2)/N41R1: 2016 Bakul

Software as a Medical Device (SaMD) Clinical Evaluation IMDRF/SaMD WG (WD2)/N41R1: 2016 Bakul

Software as a Medical Device (SaMD) Clinical Evaluation IMDRF/SaMD WG (WD2)/N41R1: 2016 Bakul Patel, USA FDA Chair SaMD Working Group NWIE Proposal - Software as a Medical Device (SaMD): Clinical Evaluation Scope Guidance on when

799 views • 14 slides
Software as a Medical Device (SaMD) Working Group Status Application of Clinical Evaluation

Software as a Medical Device (SaMD) Working Group Status Application of Clinical Evaluation

Software as a Medical Device (SaMD) Working Group Status Application of Clinical Evaluation Working Group Chair: Bakul Patel Center for Devices and Radiological Health US Food and Drug Administration NWIE Proposal - Software as a Medical

649 views • 15 slides
Clinical Evidence Requirement of Software as a Medical Device (SaMD) Dr David Hau Senior

Clinical Evidence Requirement of Software as a Medical Device (SaMD) Dr David Hau Senior

Clinical Evidence Requirement of Software as a Medical Device (SaMD) Dr David Hau Senior Medical Officer, Clinical Section, Medical Devices Branch Innovate Health Conference 27 June 2019 Essential Principle 14 Clinical evidence Every

591 views • 11 slides
MEDICAL DEVICE REW a clinicians perspective INTERNATIONAL MEDICAL DEVICE REGULATORY FORUM

MEDICAL DEVICE REW a clinicians perspective INTERNATIONAL MEDICAL DEVICE REGULATORY FORUM

MEDICAL DEVICE REW a clinicians perspective INTERNATIONAL MEDICAL DEVICE REGULATORY FORUM (IMDRF) 2017 Harindra Wijeysundera MD PhD FRCPC Vice President Medical Devices & Clinical Interventions, CADTH Associate Professor, Department of

750 views • 37 slides
Current Regulatory Landscape for Medical Device 3D-Printing Elizabeth McGrath Director, Medical

Current Regulatory Landscape for Medical Device 3D-Printing Elizabeth McGrath Director, Medical

Current Regulatory Landscape for Medical Device 3D-Printing Elizabeth McGrath Director, Medical Device Reforms and Emerging Technology Therapeutic Goods Administration Department of Health 30 March 2019 Medical device 3D printing - This talk

589 views • 22 slides
LNE/G-MED North America, Inc Embedded Software in Medical Device : Common Regulatory and Quality

LNE/G-MED North America, Inc Embedded Software in Medical Device : Common Regulatory and Quality

contact@lne-america.com 1-301-495-0477 lne-america.com LNE/G-MED North America, Inc Embedded Software in Medical Device : Common Regulatory and Quality Misconceptions. 9/28/2016 Do not distribute or reproduce without

716 views • 26 slides
Recent Developm ents in Medical Device Softw are Overview of Mobile Medical Apps and

Recent Developm ents in Medical Device Softw are Overview of Mobile Medical Apps and

Recent Developm ents in Medical Device Softw are Overview of Mobile Medical Apps and Medical Device Data System s February 14, 2016 John Grimes, Ph.D. U.S. Food and Drug Administration Center for Devices and Radiological Health Office

727 views • 47 slides
Challenges of conducting a Clinical Investigation of a Medical Device in Academia Taragh Keily

Challenges of conducting a Clinical Investigation of a Medical Device in Academia Taragh Keily

Challenges of conducting a Clinical Investigation of a Medical Device in Academia Taragh Keily Contents Background ANSeR project and ANSeR Clinical Investigation Investigational Medical Device: The ANSeR Software System Product

592 views • 20 slides
Zi-Medical Inc. Company Introduction Boston San Jose Beijing Taipei

Zi-Medical Inc. Company Introduction Boston San Jose Beijing Taipei

Zi-Medical Inc. Company Introduction Boston San Jose Beijing Taipei www.zi-medical.com Confidential Info do not distribute without permission Confidential Info do not distribute without permission Delivering a medical product

466 views • 7 slides
How to Id Identify fy a Good CMO? Con Contract Manufacturer Or Organiz izatio ion (CM (CMO)

How to Id Identify fy a Good CMO? Con Contract Manufacturer Or Organiz izatio ion (CM (CMO)

How to Id Identify fy a Good CMO? Con Contract Manufacturer Or Organiz izatio ion (CM (CMO) If they display federal icons, like those: Ask: Why are you in breach of trademark laws? How to Id Identify fy a Good CMO? Con Contract

463 views • 20 slides
Strategic Im plications of UDI and Contract Adm inistration 2014 Fall Conference Dec 9 11,

Strategic Im plications of UDI and Contract Adm inistration 2014 Fall Conference Dec 9 11,

What? Strategic Im plications of UDI and Contract Adm inistration 2014 Fall Conference Dec 9 11, 2014 OMNI Hotel, Chicago Danny Adams Elizabeth Hilla President and CEO Senior Vice President, Health Industry Distributor Data Solutions

257 views • 15 slides
Dynamic Reasoning for Safety Assurance Ibrahim Habli Ibrahim.habli@york.ac.uk Based on an ICSE

Dynamic Reasoning for Safety Assurance Ibrahim Habli Ibrahim.habli@york.ac.uk Based on an ICSE

Dynamic Reasoning for Safety Assurance Ibrahim Habli Ibrahim.habli@york.ac.uk Based on an ICSE NIER 2015 paper with Ewen Denney and Ganesh Pai https://ti.arc.nasa.gov/publications/21593/download Background Paradigm shift in many domains

512 views • 29 slides
Go Good Ma Manufacturi ring Practices and Ins and Instan antGMP P Soft Softwar are

Go Good Ma Manufacturi ring Practices and Ins and Instan antGMP P Soft Softwar are

Go Good Ma Manufacturi ring Practices and Ins and Instan antGMP P Soft Softwar are Orie ientation ion Slid Slides Topics To Master Production Overview Batch Production Record Workflow Record Workflow Purpose of GMPs

652 views • 48 slides
DISABILITY AND AGING: DYNAMIC DIVERSITY Vicki L. Hanson B. Thomas Golisano College of Computing

DISABILITY AND AGING: DYNAMIC DIVERSITY Vicki L. Hanson B. Thomas Golisano College of Computing

DISABILITY AND AGING: DYNAMIC DIVERSITY Vicki L. Hanson B. Thomas Golisano College of Computing and Information Systems Rochester Institute of Technology QUESTION: Computing has made significant advances that allow for an ever-increasing

865 views • 21 slides
WANT TO CONTACT Dont Limit Your ROSS? Future Income by Celebra6ng Helen Broder

WANT TO CONTACT Dont Limit Your ROSS? Future Income by Celebra6ng Helen Broder

WANT TO CONTACT Dont Limit Your ROSS? Future Income by Celebra6ng Helen Broder Yesterdays Profits. (910)256-1204 Ross Shafer Helen@RossShafer.com Ross Shafer VTR CURRENT: Knowing Skinny Jeans are Popular What Im

1.16k views • 73 slides
Fear and Loathing at the IETF Fear and Loathing at the IETF (Ten Years with No Pay) (Ten Years

Fear and Loathing at the IETF Fear and Loathing at the IETF (Ten Years with No Pay) (Ten Years

Fear and Loathing at the IETF Fear and Loathing at the IETF (Ten Years with No Pay) (Ten Years with No Pay) Note: Note: NEVER joke about your presentation title with the Panel Chairperson!! NEVER joke about your presentation title with the

374 views • 9 slides

More recommend