regulatory and quality system professionals | 919.313.3960
Colliding Cultures: Software Development and the Medical Device Industry

Colliding Cultures: Software Development and the Medical Device Industry

Part 1 – Medical Device Software, the FDA and the US Congress Preface: In any given 2-week period, an average of 15% to 20% of the applications on my smartphone have new versions to fix software bugs. Others I speak with experience similar statistics. And, that doesn’t include how often my smartphone software crashes while executing tasks it was intended to perform. We don’t complain about it. Instead, we accept this state of constant, almost continuous, software revision to fix bugs as a matter of “how things are.” We have come to terms with the fact that the normal state of software is for it to be broken, in need of repair and “acceptably” functional, while simultaneously defective. One might think, given the prevalence and importance of software, we would reject software disrepair as normal – especially for critical applications that impact safety. But, the evidence suggests otherwise. If you perform a search on the FDA Medical Device Recall Database from January 1, 2013 to August 14, 2015, you will see 500 device recalls reported. This is the maximum number of rows the FDA report supports in a single query (meaning more than 500 devices were recalled). Enter the keyword “software” into the search, and the query returns 344 recalls due to medical device software. Reviewing randomly through these notices confirms that software issues played an instrumental – or the only – role in the recalls. And, all but nine are Class I or Class II recalls in response to a risk of temporary or serious adverse health consequences due to software problems. Is software so difficult and challenging...
Cybersecurity – A Real Threat to Medical Devices

Cybersecurity – A Real Threat to Medical Devices

The FDA is Taking Notice of Medical Device Cybersecurity The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures. Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers. This can potentially harm the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. It will be critical for manufacturers to implement appropriate safeguards now that more and more devices are connecting remotely to healthcare networks. In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. These attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. As products rely more heavily on networked communication, medical device cybersecurity is going to become an even greater concern....
Don’t Forget Safety Testing and the Value of Risk Management!

Don’t Forget Safety Testing and the Value of Risk Management!

Establish the Safety of Your Medical Device with IEC 60601 Compliance In our experience, the most frequently forgotten aspect of medical device development and commercialization from emerging companies is establishing a safety profile of a product. While clinical data or clinical trials may be necessary for establishing safety for some products, many Class II devices that follow a 510(k) clearance pathway require minimal, if any, clinical data to support safety claims. Once the need for clinical data is either planned for or eliminated, establishing the safety of a medical device through additional testing tends to be less of a priority. Depending on the technology incorporated into your medical device, applicable safety standards need to be identified during the design stages of the product. The most widely accepted benchmark for establishing safety for electrical medical devices is a standard called IEC60601-1, where compliance has become an acceptable means for satisfying electrical safety requirements for the commercialization of electrical medical devices in the European Union. 60601-1 has undergone revision recently. The third edition is enforced now in the EU and the second Edition is currently applicable in the U.S. The FDA will require the use of the third Edition of the standard for new devices as of June 30, 2013. In this new edition of the standard, there is strong emphasis on risk assessment, ISO 14971 and, in the U.S, a focus on device usability as an important factor contributing to the safety of the device. Product testing to 60601-1 is a very technical exercise that involves laboratory testing against the standard by a test house, such as Underwriters Laboratories. If...