News and Updates

SoftwareCPR provides these FDA related software and computer news items.

Click What's New at CDRH, What's New at CDER, or What's New at CBER to see new items listed on FDA's Drug, Devices, and Biologics Center web sites.

To receive selected email notifications of significant software related regulatory and standards activities as we post them to this site join our mailing list by clicking the link on the lower left.
To receive all newsletters and bulletins and receive other benefits click the Subscription Info link on the home bar above. 

We welcome news and commentary from our clients and web site visitors. Anything we post will be credited to you.

To submit news (or a document or presentation you would like to share) email it to news@softwarecpr.com .

To view our last newsletter click SoftwareCPR Last Newsletter

 

2/18/2019  Being Agile & Compliant - SCPR Public Course*   
Being Agile & Compliant Software CPR Public Training Course
COURSE DATES: February 18 - 19, 2019
TRAINING LOCATION: Tampa, Florida, USA

COST: 2 Full Days for $2,495.00
Early Bird Registration Discount of $500 available through Nov 30th, 2018.
Only a limited number of early bird registration seats are available - Email now!
Send email to: training@softwarecpr.com

Our course is framed around IEC 62304 and how the standard can be used to ensure agile methods and approaches to software development.
Discuss the proper activities and deliverables for safe and effective software.
Uses concepts from AAMI TIR45 as well to help communicate how agile methods can, when used properly, improve software quality.
Reference US regulations and FDA guidance to address potential gaps that can occur with some agile approaches.
Understand how backlog management, development iterations, and release cycles can easily align with the intent and expectations of regulators and auditors.
Discussion on tools and the very important role they MUST play in the effective use of agile methods for medical device and digital health software.
Integrated exercises designed to apply learning!
This 2 day course will be taught by Brian Pate and Ron Baerg of SoftwareCPR®.

Brian was a member of the AAMI working groups that developed TIR32 Medical Device Software Risk Management and TIR45 Effective Application of Agile Practices in the Development of Medical Device Software. Brian currently is the lead faculty for the AAMI Regulatory Requirements for Software Validation course and is co-faculty for the AAMI Agile course. Ron has over 23 years in developing medical device software for many levels of safety risk. Full credentials on our website: https://www.softwarecpr.com

Who Should Attend?
Quality Assurance and Regulatory Affairs professionals. This course will provide a clear understanding of requirements versus areas of flexibility and provide checklists and questions to use for gap analysis, auditing, and vendor and OEM qualification and management.
Product Owners, Scrum Masters/Coaches, software development managers/engineers, risk management, and test engineers. This course provides examples, checklists, and partial templates as well as improving articulation and defense of your approaches to regulatory bodies, internal quality assurance, and regulatory affairs departments.

Training Location:
Center for Advanced Medical Learning and Simulation (CAMLS). As one of the world's largest, free-standing centers fully dedicated to training healthcare professionals, the 90,000-square-foot, three-story facility provides a state-of-the-art, clinical environment with 60,000 square feet dedicated to surgical skills labs, operating suites, a virtual hospital and simulation center, and more than 25,000 square feet of dedicated education and conference space. Conveniently located in the heart of downtown Tampa, FL, it is open 7 days a week to accommodate the numerous demands that challenge today's healthcare providers and researchers as well as its numerous international clients.

Several hotels are within 1 or 2 city blocks of CAMLS. No rental car is needed as many restaurants, shopping and entertainment are easily accessible in the Tampa Riverwalk and Channelside district.

For more information email: training@softwarecpr.com
 
12/11/2018  FDA Draft Self-Monitoring OTC Glucose Test Systems   
FDA issued a draft guidance entitled "Self-Monitoring Blood Glucose Test Systems for Over-the-Counter Use"'. This draft guidance document provides recommendations to industry about the studies and criteria to include in their premarket submissions for self-monitoring blood glucose test systems used for diabetes management in the home setting.

This guidance (similar to the Prescription POC guidance) identifies software information to submit including displays and user messages, user prompts and response time requirements, and error messages. A footnote indicates units that should be displayed. Appendix I indicates errors to consider including for software such as reporting of unrecognized signal errors.
 
12/11/2018  FDA DraftGlucose Test Systems for Prescription POC   
FDA issued a draft guidance entitled "Blood Glucose Monitoring Test Systems for Prescription Point-of-Care Use'. This draft guidance document provides recommendations to industry about the types of information to include in their premarket submissions for blood glucose monitoring systems used for diabetes management in the health care setting.

This guidance identifies software information to submit including displays and user messages, user prompts and response time requirements, and error messages. A footnote indicates units that should be displayed. Appendix I indicates errors to consider including for software such as reporting of unrecognized signal errors.
 
10/26/2018  FDA Webinar Slides - Consensus Use of Standards   
This final Guidance "Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices" replaces the 2013 draft guidance This guidance focuses on to clarifying nd formalizeing existing FDA practice including the requriement to submit FDA's standards form for each standard used as well as discusses the use of obsolete standards. Originally standards were a focus for Abbreviated 510(k) but FDA has been requiring information on all standards mentioned in premarket submissions for several years and this guidance formalizes that practice. FDA Held a webinar on this guidance and the slides are at the link provided. 
10/17/2018  FDA Draft Cybersecurity Premarket Guidance   
FDA issued a draft guidance "Content of Premarket Submissions for
Management of Cybersecurity in Medical Devices" dated 10/17/18. This document contains a some terms(e.g. Cybersecurity Bill of Materal) and concepts (e.g.,Tier 1 and Tier 2 risks) that it is important for Manufacturers to understand and address in premarket submissions. It also includes labeling recommenations for cybersecurity information.
 
10/15/2018  FDA CDRH Special 510(k) Pilot Program   
FDA announce a new pilot program to simplify certain 510(k)s. For more information on eligibility click the link provided and scroll to near the bottom of the page. 
10/15/2018  FDA FInal Guidance - Use of Standards Guidance   
This final Guidance "Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices" replaces the 2013 draft guidance This guidance focuses on to clarifying nd formalizeing existing FDA practice including the requriement to submit FDA's standards form for each standard used as well as discusses the use of obsolete standards. Originally standards were a focus for Abbreviated 510(k) but FDA has been requiring information on all standards mentioned in premarket submissions for several years and this guidance formalizes that practice. 
10/15/2018  UL 5500 Remote Software Updates Standard   
Underwriters Laboratories, Inc. published the First Edition of the Standard for Safety for Remote Software Updates, UL 5500 on September 6, 2018. This standard covers remote software updates taking into account the manufacturer's recommended process to ensure safety. It is limited to software elements having an influence on safety and on compliance with the particular end product safety standard. This standard additionally covers hardware compatibility necessary for safety of the remote software update. It can be purchased at the link provided. 
10/13/2018  SoftwareCPR October 2018 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from early-June 2018 through mid-October 2018. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
10/9/2018  FDA Final Risk Guidance different technologies   
FDA released a final guidance "Benefit-Risk Factors to Consider When Determining Substantial Equivalence in Premarket Notifications (510(k)) with Different Technological Characteristics" dated Sept. 25, 2018. This guidance applies only to devices with similar intended use and if the different technological characeristics do not raise different questions of Safety and Effectiveness. The full guidance is at the link proivded. 
10/6/2018  FDA CDRH 2019 New Guidance Plan   
FDA has posted there Fiscal Year 2019 Proposed Guidance Development list and priorities at the link provided. Their hightest prioirty Final Guidance A-List includes Changes to Existing Medical Software Policies, Clinical and Patient Decision Support Software. Their Draft Guidance Topics A-List for development includes Content of Premarket Submissions for Cybersecurity of Medical Devices of Moderate and Major Level of Concern, Computer Software Assurance for Manufacturing, Operations, and Quality System Software. 
10/1/2018  FDA Biologics Assistance Branch (MATTB)   
FDA Center for Biologics provided Manufactuers and Technical assistance. For email and phone ocntact information and other information about this service click the link provided. 
10/1/2018  FDA CDRH Updates SW Precert Pilot   
For more information on eligibility click the link provided. You can also download the current working model. 
10/1/2018  FDA Device Center Patient Advisory Committee   
For information on the FDA CDRH Patient engagement Advisory Committee including how to nominate candidates click the link provided. 
10/1/2018  FDA Reflects on National Cybersecurity Month   
October in Natinal Cybersecurity Month for more information from FDA click the link provided. 
9/20/2018  UL 5500 - Safety for Remote SW Updates Approved   
UL 5500 - Safety for Remote Software Updates has been adopted as a US National Standard. It covers the remote updating of software via the manufacturer's recommended process. It is limited to software elements having an influence on safety and on compliance with the particular end product safety standard. It is not specific for medical devices, but applies to remote updating medical of medical device software having an influence on safety. 
8/1/2018  FDA Raises User fees Oct 1, 2018   
The full information is at the link provided.It also states the new annual registration fees. Keep in mind business of under 100 million in gross revenue qualify for the reduced small busines fees listed. 
7/27/2018  FDA Clears Home Urinalysis using smartphones   
Dip.io was cleared for clinical urinalysis. The device includes test strips and a color coded card that is readable by smartphone to provide a result for several conditions including infection. More information is at the link provided. 
7/27/2018  FDA Software Precertification News   
Amy Sellers Legal Intern at SoftwareCPR® prepared a summary at the link provided. The summary describes four interdependent program components. 
7/27/2018  FDA webpage of examples of cleared apps   
FDA provides examples of cleared Mobile Medical Apps at the link provided. 
7/17/2018  JAMA Article by FDA Staff - Summary   
Amy Sellers summarizes "FDA Regulation of Mobile Medical Apps" by Jeffrey Shuren, MD, JD; Bakul Patel, MS, MBA; Scott Gottlieb, MD below:

The latest communication from FDA regarding regulation of medical apps notes that mobile medical apps can greatly help patients be proactive and vigilant about their own healthcare. There has been increased demand for medical apps, and many of the apps depend on high levels of feedback between patients and clinicians. The FDA wants to regulate the apps efficiently, in a way that is tailored towards the risks and benefits of the apps.

If an app is intended to treat, diagnose, cure, mitigate, or prevent disease or other conditions, it will likely be considered a medical device subject to FDA regulation. Traditional hardware-based devices undergo change more slowly – and the traditional regulatory framework assessed moderate- and high-risk devices via a lengthy premarket review process. Software as a medical device (SaMD), on the other hand, is unique and constantly evolving.

The FDA responded to SaMD in 2011 with “Guidances with Digital Health Content” and some deregulation. The FDA has continued to oversee SaMD (including mobile medical apps), and recently the International Medical Device Regulators Forum (IMDRF) have established a framework for efficient SaMD review that meets patient and developers’ needs. In 2017, the FDA guidance document, Digital Health Innovation Action Plan, described the agency’s plan for a new regulatory model for digital health technologies consistent with the IMDRF policies – including the precertification program for developers to be assessed for quality in order to qualify for streamlined or no premarket review.

It seems the key to remaining current with the rapid changes of medical apps is taking a risk-based approach. An SaMD manufacturer who is certified to have high quality software design, testing, and other internal quality processes, will truly benefit from the pre-certification program. Low-risk products may not undergo premarket review, and high-risk products would be efficiently reviewed. Plus, post-market data collection on the safety and effectiveness of the device would be streamlined, which ultimately benefits the consumers who demand quality mobile medical apps. For the full article click the link provided.
 
7/9/2018  SoftwareCPR June 2018 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from mid-April 2017 through June 2018. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
6/29/2018  FDA Benefit-Risk Analysis Summary   
A summary of FDA benefit-risk analysis is at the link provided. The author is Amy Sellers a legal intern at SoftwareCPR. 
6/29/2018  FDA eSubmitter Download Webpage   
For information on FDA eSubmitter downloading and installation see the link provided. 
6/7/2018  FDA Q-Submission Program Draft Guidance   
FDA issued the draft guidance "Requests for Feedback and Meetings for Medical Device Submissions: The Q-Submission Program" June 7, 2018. Note that there are a variety of types of Q-submissions and they do not need to be tied to a specific planned 510(k) or other premarket submission. Also note that they are not meant to replace interactive feedback during a 510(k) or other premarket submission process. The full draft is at the link provided. 
6/1/2018  FDA Proposed Reclassification of MIMS   
FDA Issued a Proposed Order to Down-Classify Certain Radiological Medical Image Analyzers, which include computer-assisted detection devices for mammography breast cancer, ultrasound breast lesions, radiograph lung nodules, and radiograph dental caries detection devices, from class III to class II devices. If finalized, this proposed order will reclassify computer-assisted detection devices for certain radiological applications from Class III devices requiring premarket approval, to Class II devices, requiring a less burdensome premarket notification (510(k)) with special controls. 
5/1/2018  FDA Draft MultiFunction Device Guidance   
FDA issued a draft guidance dated April 27, 2018 titled: "Multiple Function Device Products: Policy and Considerations". This guidance expands on
This guidance clarifies when and how FDA intends to assess the impact of other functions that are not the subject of a premarket review on the safety and effectiveness of a device function subject to FDA review. It stresses that the potential impact of unregulated functions on safety and effectiveness of regulated functions will still be assessed so the degree of design segregation to minimize potential side affects is considered important. This is consistent with concepts from AAMI TIR32 and IEC 80002-1 for Medical Device Software Risk Management. It also explicilty states that functionality that legally meets the definition of a medical device but that is under FDA enforcement discretion will be treated the same as unreglated functions. If an unregulated function could adversely impact the regulated functions Section VII identifies additional information to be provided in a premarket submission. This includes Architecture and Design detail adequate to understand potential side affects of the unregulated functions and specific risk analysis. The full draft guidance is at the link provided.
 
4/14/2018  Ron Baerg now a Partner at SoftwareCPR   
Ron Baerg, of Seminole, FL USA, is now a partner at Crisis Prevention and Recovery LLC (DBA SoftwareCPR ®) a full service medical device compliance and premarket submissions consultancy. Ron has over twenty three years experience in medical device software development and management. His experience has been primarily focused on large, complex medical device systems with multiple computing systems containing all safety classes of software. His training has included risk management, software V&V, standards such as 62304, and was a recipient of the Baxter Technical Award.

Ron expands the company’s SoftwareCPR capabilities and remediation services. His full CV is on the credentials page of www.softwarecpr.com. For more information please leave a message on the website or call 781-721-2921.
 
4/12/2018  FDA Draft Guidance Expansion of Abbreviated 510(k)   
FDA issued a draft for comment Guidance: Expansion of the Abbreviated 510(k) Program: Demonstrating Substantial Contains Nonbinding Recommendations Draft – Not for Implementation Equivalence through Performance Criteria.The outline shows a Secition 17 for software information. 
4/6/2018  FDA Unique Device Identifier Webpage Status Update   
The Global Unique Device Identification Database (GUDID) is a database administered by the FDA that will serve as a reference catalog for every device with an identifier. FDA's webpage for this is at the link provided. Beginning of May 2018 – implementation of the releasability logic and beginning of the review period. Beginning of June 2018 – public release of premarket submission and supplement numbers on AccessGUDID and OpenFDA. 
3/29/2018  SoftwareCPR March 2018 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from mid-November 2017 through late-November 2018. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
3/23/2018  Software Standards and FDA Guidance Visual Aide   
Brian Pate, General Manager of SoftwareCPR prepared a visual aide (one of many we use in our training courses) of key Medical Devices Standards and FDA guidance related to software. This can be viewed or downloaded at the link provided. To find out more on how to use our subscription services to stay current on standards visit our subscription page. To inquiry about specific training on-site at your company please email Brian at brian@softwarecpr.com. 
3/10/2018  FDA Software Recall Summary-2017.   
Based on our searches and posting of software related recalls there appears to be a significant decrease of recalls reported to FDA in 2017 compared to 2016. . Yearly total software recalls to the best of our ability to identify were for the past year are listed below. For prior years search our library or look in the recall section for the complete historical summary back to 2004 :
2017 - 176
2016 - 346
2015 - 256
2014 - 228
 
3/3/2018  IEC 62304 2nd Edition draft for Committee Vote   
A committee draft for vote of IEC 62304 Ed 2: Health Software – Software life cycle processes has been circulated for ballot. Edition 2 expands the scope of IEC 62304 to include health software that is not regulated as a medical device, and the title has been changed accordingly. This will be the last opportunity to make technical changes. 
3/3/2018  IMDRF Safety/Performance of Medical Devices/IVDs   
The International Medical Device Forum which FDA participates in released a draft for comment entitled: "Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices". This guidance document describes fundamental design and manufacturing requirements, referred to as 'Essential Principles of Safety and Performance' that, when met, indicate a medical device is safe and performs as intended. The draft for comment is at the link provided. 
3/3/2018  SoftwareCPR Mobile App with Regs and Guidance   
SoftwareCPR now has a mobile app available for iPhone and Android. You can search the app stores for SoftwareCPR to download. The app provides key FDA regulations and Software Guidances for quick reference and organized by section. Impress your friends with you access to the exact text of FDA documents whereever you go. We will be adding additoinal documents over time. 
2/22/2018  FDA Premarket Clinical Data FAQ Guidance   
The FDA published the guidance document “Acceptance of Clinical Data to Support Medical Device Applications and Submissions Frequently Asked Questions” The guidance document is in question and answer format, and provides clarifications and recommendations to help stakeholders ensure that studies conducted in the U.S. or foreign countries comply with the new rule and revised regulations. The full guidance is at the link proviced 
1/30/2018  FDA Final Revised Refuse to Accept Policy   
The FDA published the guidance document “Refuse to Accept Policy for 510(k)s” This supersedes the original issued Aug. 4, 2015. This revision provides for additional requirements to better ensure substantive content, not just admnistrative elements are checked in the initial 15 day refuse to accept initial review. The full guidance is at the link provided 
1/16/2018  FDA UDI Class I and Unclassified Policy Guidance   
The U.S. Food and Drug Administration released the immediately-in-effect (IIE) guidance document, "Unique Device Identification: Policy Regarding Compliance Dates for Class I and Unclassified Devices." The guidance lists and explains several key elements of FDA’s enforcement discretion policy, including the Agency’s intention to not enforce standard date formatting, labeling, and GUDID data submission requirements for class I and unclassified devices before September 24, 2020; not enforce direct mark requirements for class I and unclassified devices before September 24, 2022; and not enforce standard date formatting, labeling, and GUDID data submission requirements until September 24, 2021, and direct mark requirements until September 24, 2022 for finished devices manufactured and labeled prior to September 24, 2018. The full guidance is at the link provided. 
12/26/2017  FDA Voluntary Device Malfunction Summary Reporting   
The U.S. Food and Drug Administration issued a Federal Register notice with a proposed program for Voluntary Malfunction Summary Reporting. When finalized, this program would allow manufacturers to report certain malfunction medical device reports (MDRs) in a summary format on a quarterly basis instead of individually within 30 days. The proposed Voluntary Malfunction Summary Reporting Program would not apply to importers or device user facilities and the full information is at the link provided. 
12/20/2017  FDA Device Accessories Classification Guidance   
Today the FDA is announcing the availability of the updated final guidance, “Medical Device Accessories – Describing Accessories and Classification Pathways”. This guidance was updated and replaces the Jan. 2017 version to include new mechanisms to request (1) a different classification for an existing accessory type (i.e., accessories already on the market), and (2) for new accessory types (i.e., accessories that have not been previously classified under the Federal Food, Drug, and Cosmetic Act (FD&C Act), cleared for marketing under a 510(k) submission, or approved in a PMA), as described in section 513(f)(6) of the FD&C Act.

SoftwareCPR can provide expert Accessory, de novo, pre-sub, or 513(g) classification consulting services.

If you are not already a paid subscription consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
12/20/2017  NIST_cybersecurity_framework-v1-1   
A draft of a new revision of the NIST Framework for Improving Critical Infrastructure Cybersecurity has been circulated for comment. This draft revision refines, clarifies, and enhances Version 1.0 issued in February 2014. This is a draft for comment. 
12/14/2017  FDA CDRH 2018 Proposed Guidance Development   
FDA issued its list of for planned Medical Device Guidance development for 2018. This list has 2 parts: priority development referred to as the A-List and other development referred to as B-list.. Note that FDA does not commit to accomplishing all items on either list it is just stating its current intention. The A-List includes a draft guidance for Validation of Automated Process Equipment Software. FDA also lists which pre-existing guidances they hope to retrospectively review in 2018. 
12/14/2017  FDA Least Burdensome Principles Draft Guidance   
On Dec. 14, 2017 FDA released a Draft guidance dated Dec. 15, 2017 "Che Least Burdensome Provisions: Concept and Principles. This guidance dsicusses FDA's intent and approach to applying Least Burdensome Principles to the total product lifecycle for medical devices based on requirements in FDAMA (Public Law 105-115) , the FDA Safety and Innovation Act (Public Law 112-144) (FDASIA) and the 21st Century Cures Act (Public Law 114-255) (Cures Act). This guidance stresses interactive approaches, tailored approaches, consideration of time and resources impact of its requests, use of post market data to reduce premarket data, timely patient access, leveraging internation data, alternative source of data versus clinical trial data, leveraging existing data rather then running new trials, use of read world data and non-clinical data and bench testing, use of computer modeling and simulation, non-comparative clinical outcome studies, risk benefiit analysis, bunding multiple devices in a submission, exempting some Class I and II devices from 510(k) requirements, and in general requesting only the minimum information needed for making a regulatory decision. The full guidance is at the link provided. 
12/11/2017  FDA Changes to Medical SW Policies Draft Guidance   
On Dec. 8, 2017 FDA released a Draft guidance "Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act". This guidance dsicusses software functions in relation to the modified device definition in the 21st Century Cures Act and the criteria for interpreting if and how medical software will or will not be regulated. Note, however, that the 21st Century Cures Act allows regulation of devices excluded from regulation if a federal register notice finds it wouild be reasonably likely to have serious adverse health consequences This guidance indicates that 4 other existing FDA software guidances will be modified to incorporate the policies indicated. related to application of these policies on a software function-specific basis and across platforms. These includes the Mobile Medical Applications, Off-theShelf Software (to removeLaboratory Information Management Systems (LIMS)), General Wellness, Medical Device Data Systems guidances. This draft guidance contains many criteria and details regarding FDA's legal authority (or lack thereof) to regulate medical software and whether if within their authority they will exercise enforcement discretion and not actively regulate. It includes related factors such as whether the software is certified by non-FDA HHS Office of the National Coordinator for Health Information Technology. The full guidance is at the link provided. 
12/11/2017  FDA Clinical Decision Support SW Draft Guidance   
On Dec. 8, 2017 FDA released a Draft guidance "Clinical and Patient Decision Support Software". This guidance addresses software for decision support in two categories: one used by Healthcare Professionals, the other used personally by patients and non-health professionals. It provides FDA interpretation of which types of Decision Support Software do not meet the definition of a medical device (as modified in the 21st Century Cures Act), which types may meet the definition, and which types FDA will focus on in terms of regulatory oversight. One key factor is whether the information provided by the software can be indepently evaluated by the Cinician. The full guidance is at the link provided. 
12/11/2017  FDA SAMD Clinical Evaluation Final Guidance   
On Dec. 8, 2017 FDA released a Final guidance "Software as a Medical Device (SAMD): Clinical Evaluation". (The October 14, 2016 draft is now obsolete.) This guidance is actuallly the use of an International Medical Device Regulators Forum (IMDRF) document completed in June lf 2017 so this represents broad international consensus. This guidance discusses various types of clinical evidence to support safety and effectiveness of a wide range of Software devices. Information is provided on FDA's perspective on use of pre-existing scientific and clinical information, analytical evaluation and bench testing. It also distinguishes between expectations for well-established clinical assocations vs. Novel clinical associations. Section 9.0 discusses Continuous Leveraging of Real World Performance Data to support additional performance claims and functions or to reduce such claims. The full guidance is at the link provided. 
12/9/2017  FDA new Digital Health Policy Statement   
On December 7, 2017 FDA Commissioner Scot Gottlieb, M.D. released a statement "Advancing new digital health policies to encourage innovation, bring efficiency and modernization to regulation". The full statement is at the link provided. This statement announces the release of several new draft and final guidances as part of the FDA's Health Innovation Action Plan published previously. The new guidancesare posted separately and include SaMD Clinical Evaluation, Clinical and Patient Decision Support, and Changes to Existing Medical Policy resulting form Section 30260 of the 21st Century Cures Act. 
12/8/2017  FDADigital Health Innovation Action Plan   
Earlier this year FDA released this plan initiating severall new guidances, policy changes, and it pre-certification progam. The full plan is at the link provided. Information on the pre-certificaiton program progress during 2017 and release of new guidance (Dec 2017) is posted separately. 
12/1/2017  FDA Digital Health Webpage   
For ongoing information on FDA's digital health initiative FDA maintains a dedicated webpage at the link provided. 
11/17/2017  Free Android App with FDA regulations   
Want a free Android app as a quick reference to the regulations? Paul Felten of SoftwareCPR has developed a new app just for that purpose. You can find it by searching for "SoftwareCPR" in the Google Play store! We'll let you know when a similar iPhone app is available. 
11/16/2017  FDA Approves Digital Pill   
FDA issued its first approval of a Digital Medicine, ABILIFY MYCITE®, a new innovative treatment option in mental health. Otsuka with the help of Proteus Inc. developed a sensor as part of the pill that communcates externally to provifde confirmation the pill was ingested along with details about it. This is for serious mental illnes and can be monitored by others to ensure required medication is being properly taken/administered. Otsuka’s commercialization approach is to launch in 2018, in collaboration with carefully selected health plans and providers in the United States. You can find out more in the press release at the link provided. 
11/16/2017  SoftwareCPR Nov 2017 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from mid-August 2017 through mid-November 2017. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
10/31/2017  FDA Final De Novo Submission Guidance   
FDA release a final guidance "De Novo Classification Process (Evaluation of Automatic Class III Designation)" dated 10/30/2017. This supersedes “New Section 513(f)(2) - Evaluation of Automatic Class III Designation, Guidance for Industry and CDRH Staff” dated February 19, 1998. This guidance defines the process for De Novo submissions for devices with no predicate that previously would automatically have been considered Class III provided there is not current classification rule for this type of device. This guidance clarifies that a 510(k) with an NSE determination is no longer required for De Novo submission. The guidance recommends but does not require a Pre-Sub review with FDA. The full guidance is at the link provided. 
10/25/2017  FDA Breakthrough Devices Program Draft Guidance   
FDA published a draft guidance "Breakthrough Devices Program Draft Guidance for Industry and Food and Drug Administration Staff" dated 10/25/17. The full guidance is at the link provided. This supersedes the Expedited Access Pathway (EAP) introduced in 2015 and the Priority Review Program. The Breakthrough Devices Program is a voluntary program for certain medical devices that provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions. This program is intended to help patients have more timely access to these medical devices ... 
10/25/2017  FDA Final Deciding if a new 510(k) is needed   
Supersedes 1997 guidance.
FDA issued a new Final guidance entitled "Deciding When to Submit a 510(k) for a Change to an Existing Device" dated Oct. 25, 2017. TThe full guidance is at the link provided. Note that FDA simultaneously released a Final guidance for when to submit a new 510(k) for software changes specifically.
 
10/25/2017  FDA When to Submit 510(k) for a Software Change.   
FDA issued a finaguidance entitled "Deciding When to Submit a
510(k) for a Software Change to an Existing Device)" dated October 25, 2017. This guidance clarifies for industy how to determine what software changes to a 510(k) cleared device require a new 510(k). It seems to reflect what FDA has been applying in the past but now provides a specific reference and more clarity for the decision process. It includes significant emphasis on risk assessment and provides a flowchart and a set of questions to ask to aid in the 510(k) determination. The full guidance is at the link provided. Note that FDA simultaneously released a draft revision to its general guidance for when to submit a new 510(k) for any type of change ot a medical device.
 
10/18/2017  EU Proposed Cybersecurity Regulation   
Sherman Eagles of SoftwareCPR reports that the EU has proposed a new regulation on Cybersecurity. While this regulation is not specific to the health sector, health is mentioned as being critical infrastructure in the proposal. The proposal would provide a revised mandate, objectives and tasks for ENISA, the "EU Cybersecurity Agency". Among these new tasks are to facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products and services. And to support and promote the development and implementation of the EU policy on cybersecurity certification of ICT products and services. The framework for an EU cybersecurity certification is established in this proposed regulation. 
10/18/2017  ValidationCPR Blog.   
SoftwareCPR now has a validation blog at the link provided. The latest entry as of 18-Oct-2017 are some Retrospective Validation Tips provided by SoftwareCPR founder Alan Kusinitz. Earlier entries relate to Part 11, Agile methods, and Health IT. 
10/17/2017  U.S. Cybersecurity Bill   
The link provided is to the full text of the current Bill S.1656 in the US Congress titled "`Medical Device Cybersecurity Act of 2017''. Note that bills may not pass into legislation or may be heavily modified prior to becoming law. 
9/29/2017  FDA Pre-submission Meeting Guidance   
The U.S. Food and Drug Administration released guidance document, "Requests for Feedback on Medical Device Submissions: The Pre-Submission Program and Meetings with Food and Drug Administration Staff" dated Sept. 29, 2017. The guidance lists and explains the process for requesting meetings with FDA and explains proper use of these meetings including examples of appropriate and innappropriate meetings. The full guidance is at the link provided. 
9/15/2017  FDA PMA Critical to Quality Pilot Program   
Participation in the PMA CtQ pilot program is voluntary and the program aims to evaluate device design and manufacturing process quality information early on to assist FDA in its review of the PMA manufacturing section and post-approval inspections. This voluntary pilot program is part of the FDA's ongoing Case for Quality effort to apply innovative strategies that promote medical device quality and is a joint effort between the FDA's CDRH and Office of Regulatory Affairs (ORA). The pilot program is intended to provide qualifying PMA applicants with the option to engage FDA on development of CtQ controls for their device and forego the standard PMA preapproval inspection. FDA would in turn, focus on the PMA applicant's implementation of the CtQ controls during a postmarket inspection. FDA is seeking companies to volunteer to participate. Full informaiton is at the link provided. 
9/15/2017  FDA Recognizes AAMI TIR69 Wireless Coexistence   
"AAMI TIR69: Risk Management of Radio-frequency Wireless Coexistence for Medical Devices and Systems" released in early 2017 and recognized by FDA in August 2017. Can be purchased at the link provide just search for TIR69. 
9/6/2017  FDA FINAL guidance Interoperable Devices   
FDA issued a FINAL guidance entitled "Design Considerations and Pre- market Submission Recommendations for Interoperable Medical Devices". This guidance addresses medical devices that exchange information whether wired or wireless including through the internet. It includes unidirectional exchange, bidirectional, or command and control. The guidance focuses on data exchange not physical connection types. It includes a section on information on interoperability to be included in premarket submissions.

Section V. identifies 6 key considerations under 21 CFR 820.

Key design considerations identified include purpose of the Electronic Interface, anticipated users, risk management, V&V, Labeling, and Use of consensus standards,.

Section VI of the guidance defines information to be included in premarket submissions and includes describing the API (Application Programming Interface) if the software can be used by other software, medical device or system.
 
8/30/2017  FDA Abbott Cybersecurity Safety Communication   
FDA issued: Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication. The full document is at the link provided. 
8/25/2017  IEC 82304 and other FDA newly recognized stds   
FDA published a list of standards added to their recognition list on August 21, 2017.
EC 82304-1 Edition 1.0 2016-10. Health software—Part 1: General requirements for product safety is included on this list in the Software/Informatics Section along with a number of other standards related to device communication (including specific to glucose meters and insulin pumps), and Cybersecurity, The full FDA list of newly recognized standards is at the link provided.
 
8/21/2017  FDA Recognizes UL2900-1 for Cybersecurity   
UL 2900-1 Ed.1 2017 Standard for Software Cybersecurity Network-Connectable Products, Part 1: General Requirements was recognized by FDA on August 21, 2017 
8/15/2017  SoftwareCPR August 2017 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from Late April 2017 through mid-august. 2017. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
8/9/2017  FDA Digital Health Precert Pilot FAQ   
FDA published a FAQ for companies that may be interested in participating in the pilot program at the link provided. 
8/3/2017  FDA Digital Health Precert Meeting Summary   
Sandy Hedberg and Brian Pate of SoftwareCPR highlight a few key points from the meeting. The FDA's Digital Health Precertification webpage is at the link provided and the slides from there presentation can be downloaded. Basically, the premise will be that FDA will pre-certify a company. Pre-certification will result in a certification level. Based upon the company’s precertification level and the level of risk for the device, the product (or modifications to a product) may be able to go directly to market or undergo a streamlined submission review. FDA will also require real world data collection. FDA did not provide much detail as they intent to develop the details as they go through the pilot. FDA hopes to enroll around 9 companies in the pilot who are established in software development. It is interesting that there FDA is including a range of device risk and not just focusing on low risk devices. Another interesting aspect is the idea of an SaMD RDK (Regulatory Development Kit) as indicated in one of the FDA slides. This would be an online interactive aide to those developing SaMD in ensuring regulatory compliance and safety. If successful this new approach may help SaMD manufacturers support more rapid software release and updates as is common with commercial software products. 
8/3/2017  FDA Digital Health Precert Transcript and Video   
FDA held a meeting and webcast regarding initial development of its new approach for Digital Health Regulation. The FDA's Digital Health Precertification webpage is at the link provided and the slides from there presentation can be downloaded. 
7/31/2017  Cybersecurity issue related to Amazon Cloud   
A security company indicated the following:
... many companies received emails from Amazon indicating that their AWS S3 bucket policies were left configured as “publicly accessible”. These publicly accessible policies allow potentially sensitive cloud data exposed to cybersecurity threats, and likely are not the intention of the Amazon customers.

Amazon recommended that each "bucket" policy be reviewed as well as contents within each S3 bucket. Additionally, S3 buckets set to allow "Any Authenticated AWS User" is still effectively granting global access. Amazon’s advice is beneficial, particularly for medical device companies, and should trigger a review of not only the AWS policies and data within each bucket, but also overall software validation and cybersecurity review. AWS S3 clearly is a useful platform that medical device companies can utilize for immense scalability and reliability without the maintenance of in-house, dedicated servers. However,like any off-the-shelf software, the manufacturer should understand the potential safety risks and impact to the intended use of the medical software applications hosted on S3.

FDA has provided guidance on designing for cybersecurity and for maintaining cybersecurity in two separate guidance documents. SoftwareCPR® has particular expertise in cybersecurity and provides independent review and assessments of our clients’ security policies, procedures, secure architecture design, cyber controls, and can also provide various levels of penetration testing.

Our cybersecurity expert allows SoftwareCPR® to offer a full-service approach to assist your company with pre-market and post-market cybersecurity planning, evaluation, vulnerability and validation services. We combine extensive experience with FDA expectations for analysis and control of cyber vulnerabilities with state-of-the-art and highly sophisticated methods and experience. We can support small medical device startups to multi-national corporations, low risk to high risk and simple to complex devices. Our approach is risk-based, using risk and threat analysis early in the process to help prevent late-cycle changes that are costly.

(News item written by Paul Felten, Senior Validation Specialist)
 
7/26/2017  TIP: Cybersecurity in relation to Common Cause RM.   
These are some thoughts from Sherman Eagles, Brian Pate, and Alan Kusinitz of SoftwareCPR.

Cybersecurity vulnerabilities can have unpredictable effects on safety similar to common cause/indirect (as in AAMI TIR32 and IEC 80002-1) software failures. Therefore it is usually advantgeous to identify vulnerabilities (not threats, those are harder for a manufacturer to identify) and apply controls rather than focus on probability estimation. Treating cybersecurity vulnerabilities like common cause software failures while thinking about realistic scenarios and simple mitigation, then evaluating if the mitigations seem sufficient given the overall risk of the device based on its intended use and the role of the potentially affected software in the device is generally a useful approach.
 
7/19/2017  FDA Pre-designation Draft Guidance   
FDA issued a new draft guidance entitled"Draft Guidance for Industry; How To Prepare a Pre-Request for Designation". This guidance is intended to describe informal interaction with FDA that might lead to a formal Designation request to determine wether a product will be regulator as a device or a drug and some combination thereof. The full guidance is at the link provided= 
6/29/2017  IEC TR 80002-2 Validation of Regulated Systems   
IEC TR 80002-2 Medical device software - Part 2: Validation of software for medical device quality systems has been published. This TR provides guidance for new requirements in ISO 13485:2016 for validating software used in quality systems. ISO/TR 80002-2:2017 applies to any software used in device design, testing, component acceptance, manufacturing, labelling, packaging, distribution and complaint handling or to automate any other aspect of a medical device quality system as described in ISO 13485. 
6/27/2017  Introductory 1 day Human Factors Assessment   
SoftwareCPR® - Human Factors and Usability Engineering Assessment

Does the design of your device promote safe and effective use?
Are you ready for an FDA regulatory submission requiring HFE/UE report?
Do you maintain a usability engineering file for your products? Is it complete?
Do you have a systematic process for identifying and analyzing use error?
Is the identification of use error integrated into your overall device Risk Management Plan?
Would your usability engineering process satisfy both FDA inspection and NB audit?
If you answered No to any of those questions, you may be interested in a "ONE DAY"! You may have thought before, "One day we will get our usability engineering process in order. Well, that day is now!

So what is a "ONE DAY"?

In just ONE DAY onsite with your team, SoftwareCPR® will:

Work with your team to briefly assess your usability engineering file and review your UE process for compliance to FDA and international standards. For current projects, we will evaluate the adequacy of the human factors testing completed to date and determine, what, if any testing may still be necessary. Our clients range from large corporations to small start-ups. Many start-up companies find that having us provide hands-on support of all of their human factors activities helps speed up product submissions and alleviates the need for hiring extra staff.
Use a risk-based approach. From the perspective of the FDA and the new IEC 62366-1, formative and summative evaluations performed to demonstrate safety and effectiveness of device use are dependent upon a comprehensive analysis of the use-related hazards. Have you identified which use errors could result and have you effectively mitigated those errors? Our staff can assist you with answering these questions and completing the entire risk analysis process.
Leverage our expertise and extensive experience with software verification and validation! By coordinating and strategically planning software development milestones with usability evaluation goals, the overall development program can be highly optimized. We often help our clients plan and manage the software development and V & V process to optimize opportunities for UE evaluations. We can advise on multiple levels of prototypes to support the process.
Our staff has many years of experience managing, developing and testing regulated devices. We recognize that usability engineering must be integrated with the overall development program considering FDA expectations, overall device risk, and other factors. We have experience with legacy devices and UOUP!
For a limited time, SoftwareCPR® is offering a discounted "ONE DAY" onsite assessment of your Human Factors / Usability engineering process and project artifacts for a selected project, and then cap off the day with a short training session on 62366 and FDA expectations for human factors engineering and usability engineering!

Cost $1495.00 excluding travel expenses.

For more information, call or email Brian Pate at 813-766-0563 brian@softwarecpr.com. We only have a limited number, so be the first to get your ONE DAY scheduled!
 
6/26/2017  FDA Draft Part 11 for Clinical Investigations   
FDA issues a new draft guidance in June 2017 titled "Use of Electronic Records and Electronic Signatures in Clinical Investigations Under 21 CFR Part 11 – Questions and Answers". This guidance while scoped for clinical investigations has information that is probably useful and defensible for assessing or ensuring compliance with other types of systems subject to Part 11 as well. It is presented in Q&A format and addresses cloud systems,mobile devices, outsourcing and many other topics. 
6/26/2017  FDA Tutorial E-submission of 806 reports   
FDA CDRHLearn released a new tutorial entitled 'Electronic Submission of 806 Reports of Corrections and Removals". The full tutorial is at the link provided. 
6/25/2017  AAMI Software Related Work Items Update   
AAMI Software and IT related standards working groups include one for interoperability (with 3 standards work items), one for Device Security (with 2 standards work items), one for Wireless, one for SW Defect Classification, and one for AAMI/UL 2800-1 for specification of architecture independent requirements. There is also a separate Health IT Committee with several items under development. 
6/25/2017  Patch Management in Health Technology Podcast   
Symantec Cybersecurity expert Axel WIrth provided an AAMI podcast presentation June 21, 2017 titled "Patch Managment in Healthcare". The podcast is on the AAMI page at the link provided along with several other podcasts related to cybersecurity in the prior 2 episodes. 
6/18/2017  FDA Safety Alert - Stereotactic Navigation Systems   
FDA issued a Safety Alert to users of Stereotatic Surgical Navigation Systems. This alert provides a vareity of warnings and recommmendations to prevent deaths and serious injuries when using these systems including software issues and medical imaging issues among others. The full alert is at the link provided. 
6/15/2017  FDA New Digital Health Health and SaMD Initiative   
Sandy Hedberg of SoftwareCPR suggests those involved in Health IT or Software only medical devices (SaMD) might find the recent comments by FDA commissioner Scott Gotlieb regarding FDA's move to a new regulatory approach of interest. The link provided is to his blog positng. 
6/6/2017  Security of Medical Devices   
Cybersecurity firm Sophos published an article on Medical Device cybersecurity at the link provided. David Overton of SoftwareCPR suggested we post this as it may be of interest. David stated: A significant percentage of medical devices are not secure. Most medical device manufacturers do not take serious steps to secure their devices for two reasons: A) less than 50% of device makers and HDO’s are even aware patients suffer from cyber attacks on devices — and B) 80% of manufacturers and users say the small size of devices and low computing power of internal devices make it tough to apply security standards that help to keep other devices safe. 
4/24/2017  FDA Interoperibility Final &Cybersecurity Revision   
At the AAMI/FDA Software Regulatory Class being held this week it was stated that the following are expected to be released this summer by FDA:
- revision to the premarket cybersecurity guidance
- final of the interoperability guidance
 
4/24/2017  FDA Use of Symbols in Medical Device Labeling   
The FDA page on Medical Device Use of Symbols in Labeling is at the link provided. FDA currently allows use of symbols in place of text for medical devices and certain biologics provided the use is compliant with 21 CFR Parts 660, 801, and 809. 
4/24/2017  SoftwareCPR April 2017 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from mid Late December 2016 through late April. 2017. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
3/22/2017  FDA Experiential Learning Program Applications   
FDA seeks manaufacturers to provide onsite learning opportunites for FDA staff. In the areas of Digitial Health/Software FDA is interested in 4 topics: Cybersecurity, Software Development, Total rpoduct lifecycle development processes and methodologies, and Software testing. The link provided is the main FDA wepage on this program and has a link to the full list of topics as well as links with a sample agenda and information on the application process. 
3/22/2017  FDA Webinar on De Novo for Neurological Devices.   
FDA Webinar - Regulatory Overview for Developers and Sponsors of Neurological Devices: An Introduction to the De Novo Pathway – Wednesday, March 22, 2017. Full information this webinar being put on by FDA is at the link provided. 
3/21/2017  FDA Draft Class II Device 510(k) exemptions   
On March 14, 2017 FDA issued a draft list of Class II Medical Devices exemptions from the 510(k) premarket notification requirements to comply with the 21st Century Cures Act. The full list is at the link provided. Some items of note related specifically to software are 884.1630 Prodcut Code HEX Colposcope is NOT exempt if it contains software for image analysis or use on a smartphone, 86.2570 Product .Code PQQ Data Acquision Software, and 882.1470 Product Code PKQ Computerized Cognitive Assessment Aide (if not intended for diagnosis).. There are also many devices on the exemption list that would normal contain software althoguh software is not specifically mentioned. 
3/4/2017  FDA Presentation on Benefit-Risk IDE Devices   
The presention material for the FDA Webinar - Factors to Consider When Making Benefit-Risk Determinations for Medical Device Investigational Device Exemptions Final Guidance - February 23, 2017 is at the link provided. 
2/16/2017  82304, 80002-2, 80001-2-9 SW StdsUpdate- Feb 2017   
Although IEC 82304-1 Health Software: General requirements for safety has been published it is not clear when it will be harmonized in the EU. .Nonetheless it appears EU notified bodies are treating it as “state-of-the-art” and are likely to expect it to be used for software products that are regulated as medical devices.

IEC TR 80002-2 Medical device software - Part 2: Validation of software for medical device quality systems is expected to be published shortly.This TR provides guidance for new requirements in ISO 13485:2016 for validating software used in quality systems.

IEC 80001-2-9 Application of risk management for IT-networks incorporating medical devices - Part 2-9: Application guidance - Guidance for use of security assurance cases to demonstrate confidence in IEC TR 80001-2-2 security capabilities 80001-2-9 has been published. This TR shows how a security assurance case can be used to demonstrate confidence that 80001-2-2 security capabilities have been achieved.
 
2/15/2017  U.S. Bill to Modernize FDA Device Inspections   
A bill was introduced in the U.S senate to to amend the Federal Food, Drug, and Cosmetic Act to improve the process for inspections of device establishments and for granting export certifications. A bill is essentialy a draft law and may or may not become law and may or may not be significantly modifed in the process of approval. The full bill is at the link provided. 
2/10/2017  China FDA (CFDA) English Website   
The China FDA (CFDA) formerly the State FDA (SFDA) maintains an english version of its website at the link provided. The CFDA is promoting use of 62304 for medical device software and essentially ISO/IEC 14764 for IT maintenance. It is also actively expanding its requriements related to cybersecurity of networked devices. 
2/8/2017  FDA Safety Alert - Alaris Pump Alarm   
Company: Carefusion Date of Enforcement Report 2/8/2017 Class I Recall
Alaris Syringe Pump Module (Large Volume Pump), Model 8100 and AIL Sensor Kits by CareFusion: Class I Recall - Alarm Error AUDIENCE: Risk Manager, Nursing.
The full safety alert is at the link provided and the recall report is posted on our recalls webpage. ISSUE: CareFusion is recalling the Alaris Syringe Pump because of a faulty Air-In-Line (AIL) sensor which may generate a false alarm, and cause the syringe pump to stop supplying the infusion to the patient. If the AIL sensor is faulty, the false alarm may be repeated and require the health care provider to clear the alarm to restart the infusion. Interruption of infusion could lead to serious adverse health consequences or death.
 
1/29/2017  US ONC Health IT Certification   
The US government established the Office of the National Coordinator for Health Information Technology (ONC) in 2004 and increased its role significantly in 2009 to promote and certify certain aspects of Health IT including electronic medical record systems. Although a voluntary propgram, certification is required to access a number of financial incentives. This is entirely separate from the US FDA. The government website for information on certification is at the link provided.Given the financial incentives involved the ONC has in many ways become a regulatory body for certain HealthIT in the US. Note that one of the requirements for certification is the manufacturer of the HelathIT establishb a qualityh system. The following is a summary describing the ONC from its webpage.

"The Office of the National Coordinator for Health Information Technology (ONC) operates the ONC Health IT Certification Program (Program) under the authority granted by section 3001(c)(5) of the Public Health Service Act (PHSA), and as defined in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Program is run as a third-party product conformity assessment scheme for health information technology (health IT) based on the principles of the International Standards Organization (ISO) and International Electrotechnical Commission (IEC) framework. ONC does not perform conformance testing or issue certifications itself. Rather, ONC collaborates with other organizations that it evaluates, approves, and authorizes to perform these functions on its behalf. The Program is a voluntary health IT testing and certification scheme with requirements including, but not limited to, capabilities related to the recording, security, and interoperable sharing of health information. The Program defines the technical requirements for health IT and the process by which health IT may become certified and maintain its certification."

ONC launched the Program in 2010 to support the Medicare and Medicaid EHR Incentive Programs (EHR Incentive Programs) administered by the Centers for Medicare & Medicaid Services (CMS). While the EHR Incentive Programs continue to require the use of certified health IT, the use of certified health IT has expanded to other government and non-government programs. Similarly, the Program has evolved and now also supports other health IT adoption, interoperability, and care quality improvement initiatives. This evolution has been demonstrated as the Program has released several editions of certification criteria and expanded program requirements. These new editions of certification criteria include more robust functional and interoperability requirements, ONC-ACB in-the-field surveillance expectations, and cost transparency and disclosure requirements for health IT developers’ certified health IT. These additional disclosure requirements have been adopted to ensure users of certified health IT are fully informed about certain types of limitations and additional costs associated with the ability to implement or use certified health IT in a manner consistent with its certification."
 
1/24/2017  FDA Postmarket Cybersecurity Guidance Webinar   
FDA issued a Final guidance entitled: "Postmarket Management of Cybersecurity in Medical Devices". FDA held a free webinar on this guidance on Jan. 12,2017. Information information and presentation materials are at the link provided.

SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for preparing premarket submission and post market information to FDA.<p>

If you are not already a paid subscriber consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
1/24/2017  SoftwareCPR Press Release   
Brian Pate, a Partner with SoftwareCPR® since 2006, will now assume the position of General Manager to continue the strong leadership, high integrity, and quality services that have been a hallmark of SoftwareCPR®. In addition to Brian's consulting and teaching roles, he will oversee day to day operations including marketing, sales, and executive management of the company. Brian has provided training internally for FDA, and serves as faculty for the AAMI/FDA courses on Software Regulation and the Effective Application of Agile Methods course. SoftwareCPR® partners have additionally provided training to Health Canada, Taiwan FDA, and developed and teach the Safety Assurance Course. Brian served on the TIR working groups for TIR 32 (Medical device software risk management) and TIR45 (Guidance on the use of AGILE practices in the development of medical device software). He has a long track record with helping medical device companies achieve lean, efficient, and compliant processes for software development.

Alan Kusinitz, SoftwareCPR® Founder, remains involved focusing on training, strategic regulatory consulting and our subscription-based educational services.

Crisis Prevention and Recovery, LLC (dba SoftwareCPR®) specializes in FDA regulation, representation, and negotiation for medical device, pharmaceutical, and biologics manufacturers. SoftwareCPR® partners participate in standards and software policy development as well as training with FDA’s internal software experts. They provide consulting services related to quality systems compliance, MDR reporting, premarket submissions, design control, risk analysis, software validation, recalls, 21 CFR Part 11, usability studies, cybersecurity, project management, and process improvement. SoftwareCPR® also provides a software regulatory information and educational subscription service at www.softwarecpr.com with newsletters, procedural, document, and checklist examples, training aids and reference manuals.
 
1/21/2017  FDA Draft medical Device product Communications   
The FDA issued a draft guidance "Medical Product Communications That Are Consistent With the FDA-Required Labeling — Questions and Answers". The full draft is at the link provided. 
1/18/2017  SoftwareCPR IEC 82304-1: Health software Checklist   
SoftwareCPR has posted its new checklist for "IEC 82304-1: Health software - Part 1: General requirements for product safety" in our website library and on our checklists page. This is free for our paid subscribers. SoftwareCPR can provide conformance assessments, training, or expert consultation for efficient use and implementation of 82304 for medical device software as well as for unregulated Health software. 
1/13/2017  FDA FINAL Guidance Benefit-Risk IDE Devices   
The US FDA issued a FINAL guidance entitled: "Factors to Consider When Making Benefit-Risk Determinations for Medical Device Investigational Device Exemptions". This guidance references software features in Appendix C the device description section. The full guidance is at the link provided. 
1/13/2017  Ranorex Automated Test Tool1   
Since being introduced, test automation continues to evolve as new technologies are created and released. One such evolution is Ranorex Online which has been officially released for public beta testing. Those familiar with test automation are aware that browser plugins are a necessary evil for any web-based testing framework. Ranorex Online attempts to eliminate that setup with testing that is created, hosted, and executed in the cloud. Even though limited to major browsers, it seems very promising as the new fourth generation test automation tool. Not only does Ranorex Online eliminate the setup and maintenance of an IDE and browser plugins, it improves efficiency of testers by allowing them to work on other tasks. For more information contact Paul felton of SoftwareCPR at pfelten@softwarecpr.com to have a free consultation on test automation and whether it is a good fit for your software. The Ranorex website is at the link provided. 
1/10/2017  21st Century Cures Act - SCPR SW Impact Analysis   
Sandy Hedberg of SoftwareCPR prepared a summary of the impact of Dec 13, 2016 US Law the 21st Century Cures Act on Standalone Software. Section 3060 addresses standalone software and exempts some software from regulation as a medical device. Sandy's summary is at the link provided. Other sections of the act address Medical Devices and Pharmaceuticals in general. 
1/10/2017  Implantable Device FDA Cybersecurity Notice   
FDA issued a safety notice: Cybersecurity Vulnerabilities Identified in St. Jude Medical's Implantable Cardiac Devices and Merlin@home Transmitter. The full safety notice is at the link provided. 
1/4/2017  21st Century Cures Act - Medical Device Summary   
The law firm of Hyman Phelps and McNamara posted a very good summary of the impact on this Dec 13, 2016 US Law the 21st Century Cures Act. The link provided is for general provisions affecting Medical Device Regulation. They also provide links to summaries of other providisions of the act for Standalone software in particular (also posted on softwarecprr.com, and Drugs and Biologics impact. 
1/4/2017  21st Century Cures Act - Standalone SW Summary   
The law firm of Hyman Phelps and McNamara posted their summary of the impact on this Dec 13, 2016 US Law the 21st Century Cures Act. at the link provided. Section 3060 addresses standalone software and exempts some software from regulation as a medical device. They also provide links to summaries of other provisions of the act for Medical Devices in general and Drugs and Biologics impact. 
1/4/2017  FDA Device Recall Summary Page   
The FDA webpage with a summary of how medical device recalls are handled and how FDA may notify the public is at the link provided. This includes examples of types of recall actions. We post software-related recalls on this website and SoftwareCPR can provide expert assistance in compliance with 21 CFR Part 806 Corrections and Removals as well as corresondence or negotiations with FDA in handling all types of recalls and to help ensure public notifications are fairly stated. 
12/30/2016  FDA Accessories Classification Webinar   
FDA issued a Final guidance entitled: "Medical Device Accessories – Describing Accessories and Classification Pathway for New Accessory Type". FDA will be holding a free webinar on this guidance on Feb 2, 2017. Information is at the link provided. We will post the presentation materials after the webinar.

SoftwareCPR can provide expert Accessory de novo or 513(g) classification consulting services.

If you are not already a paid subscription consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
12/30/2016  OBSOLETE:FDA Device Accessories Guidance   
This guidance was updated and a new FInal released December 2017
FDA issued a Final guidance entitled: "Medical Device Accessories – Describing Accessories and Classification Pathway for New Accessory Types". This replaces the Jan 2015 draft. It indicates that on December 13, 2016, section 513(b) of the FD&C Act was amended by the 21st Century Cures Act (Public Law 114-255) to state that the “Secretary shall classify an accessory based on the intended use of the accessory, notwithstanding the classification of any other device with which such accessory is intended to be used.” This is an important point.It also references use of the de novo classification process for accessories of a new type that have not already received a PMA approval and epxlicitly indicates this applies to Software as a Medical Device (SaMD) as well. The full guidance is at the link provided.

SoftwareCPR can provide expert Accessory de novo or 513(g) classification consulting services.

If you are not already a paid subscription consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
12/29/2016  FDA Final Postmarket Cybersecurity Guidance   
FDA issued a Final guidance entitled: "Postmarket Management of Cybersecurity in Medical Devices". This guidance augments the FDA guidance related to cybersecurity information in premarket submissions. SoftwareCPR has extensive experience with premarket and postmarket compliance with FDA cybersecurity requirements and expectations and can provide consulting support as needed.

This guidance references a number of presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA's increased oversight in this area. FDA also specifically recommends that manufacturers exercise "good cyber hygiene" and encourages use of the the NIST document "Framework for Improving Critical Infrastructure Cybersecurity". This document defines elements to include consisting of "identify, protect, detect, respond, recover". Since it is referenced in this guidance it may become important for manufacturers to be able to articulate their cybersecurity approach in these terms to FDA investigators or premarket reviewers or at least map their terminology to these elements.

The document also states that " Irrespective of the originating source, a clear, consistent and reproducible process for intake and handling of vulnerability information should be stablished and implemented by the manufacturer. FDA has recognized ISO/IEC 30111:2013: Information Technology - Security Techniques - Vulnerability Handling Processes" and "should also adopt a corrdinated vulnerability disclosure policy. FDA has recognized
ISO/IEC 29147:2014: Information Technology – Security Techniques - Vulnerability
Disclosure".

There are many terms and concepts in this guidance of interest including:
- the term "compensating conrol" which is essential manual controls.
- exercising good cyber hygiene to lower risk even beyond the acceptable risk limit
- making a binary decision whether the risk after controls is acceptable or unnacceptable
- focusing cybersecurity risk evalaution on "essential clinical performance"
- use of a common vulnerability scoring system for probability as part of an exploitability analysis
- reinforcement of the premarket guidance in that product change to strengthen cybersecurity are considered enhancements that would not normally require new premarket submissions and for PMA products would only need inclusion in the annual reports
Th guidance indicates that vulnerabilities that meet all of the following conditions would not require reporting under the Corrections and Removal or Medical Device reporting rule:
1) There are no known serious adverse events or deaths associated with the vulnerability,
2) Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and
3) The manufacturer is a participating member of an ISAO, such as NH-ISAC;

Excecutive Order 13691 Feb. 13, 2015 encouraged development of Information Sharing
Analysis Organizations (ISAOs) and FDA is exempting Manufacturers from certain things if they participate with an ISAO. An ISAO is essentially an organization for sharing of cybersecruity information with specific liability protections under the law. FDA has entered into a memorandum with one ISAO as indicated on line 121.

SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for preparing premarket submission and post market information to FDA.

If you are not already a paid subscriber consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
12/29/2016  FDA Postmarket Cybersecurity Blog   
FDA issued a Final guidance entitled: "Postmarket Management of Cybersecurity in Medical Devices". The link provided is to FDA's blog regarding this.

SoftwareCPR can provide expert cybersecurity consulting services for regulatory compliance andrisk analysis, technical threat and vulnerability assessment as well as for preparing premarket submission and post market information to FDA.<p>

If you are not already a paid subscriber consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
12/27/2016  FDA FINAL Guidance Benefit-Risk in Medical Devices   
The US FDA issued a FINAL guidance entitled: "Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance, and Enforcement Decisions". This defines FDA's approach to evaluate the Risk-Benefit relationship when evaluating information about medical devices The guidance includes examples on how it applies this product availabilty (e.g., recalls and shortage) and also to compliance and enforcement decisions. It also includes a short Appendix on the relationship to ISO 14971 use of similar terms. The remaining appendices appear quite useful as checklists for things to consider and address in internal pre and post market risk evaluations and as a summary of the guidance. 
12/21/2016  SoftwareCPR December 2016 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from mid Sept 2016 through mid Dec. 2016. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
12/7/2016  IEC 82304-1: Health software Std Released   
IEC 82304-1: Health software - Part 1: General requirements for product safety has been approved and released. It can be purchased from the ISO at the link provided. This standard addresses Heath Software Products in general and does not attempt to define which are regulated and which are not. Its scope is all standalone software not intended to become part of specific hardware designed for its medical use. It refers to IEC 62304 in many places as a normative reference and separately mentions IEC 62366 for Usability. The primary focus of this standard is on requirements for the developers, installers and maintainers of the software product. It is intended to be used alongside IEC 62304 and to cover aspects of the software product that are not covered in IEC 62304, such as accompanying documentation and software validation. 
12/6/2016  FDA Webinar Final MDR guidance   
On November 30, 2016 FDA held a Webinar - Final Guidance on Medical Device Reporting for Manufacturers - November 30, 2016 The full presentation materials and a transcript are at the link provided. 
12/1/2016  FDA Webinar materials Self Monitoring glucose   
On November 21, 2016 FDA held a Webinar - Final Guidance Documents: “Self-Monitoring Blood Glucose Test Systems for Over-the-Counter Use” and “Blood Glucose Monitoring Test Systems for Prescription Point-of-Care Use” - November 21, 2016. The full presentation materials and a transcript are at the link provided. 
11/30/2016  FDA Marketing of Concussion Evaluation Software   
On August 22, 2016 FDA allowed marketing of first-of-kind computerized cognitive tests to help assess cognitive skills after a head injury. The FDA reviewed the ImPACT device through its de novo classification process, a regulatory pathway for novel, low- to-moderate-risk medical devices that are first-of-a-kind, for which special controls can be developed, in addition to general controls, to provide a reasonable assurance of safety and effectiveness of the devices. The device is manufactured by ImPACT Applications, located in Pittsburgh, Pennsylvania. The full FDA annoouncement is at the link provided. 
11/9/2016  FDA InteroperabilityPublic Workshop Results   
FDA held a Public Workshop - Workshop on Promoting Semantic Interoperability of Laboratory Data, November 8, 2016. The full webcast of this workshop as well as all presentations are at the link provided. 
11/9/2016  FDA MDR Final Revised Guidance   
FDA published a final guidance "Medical Device Reporting for Manufacturers" dated Nov. 8, 2016. This supesedes the prior 2013 draft and 1997 guidances. It contains significant Q&A which helps clarify FDA's ongoing interpretation of enforcement of the 21 CFR 803 regulation itself. This guidance appears to be providing clarification consistent with their interpretations since the MDR rule itself was published rather then any significant changes in interpretation or enforcement. Page 3 of this guidance provides a phone # 301-796-6670 and email: MDRPolicy@fda.hhs.gov for questions about this guidance or the regulation. 
11/1/2016  FDA Unique Device Identification Webpage   
FDA maintains a UDI webpage at the link provided. This webpage provides links to all relevant guidances and the GUDID database. 
10/25/2016  IEC 82304-1: Health software Final Draft Approved   
A final draft (FDIS) of IEC 82304-1: Health software - Part 1: General requirements for product safety has been approved. The standard will be published after final editing. This is expected around the end of the year (2016).

Note SoftwareCPR is having a public 3 day training Jan 31 in Tampa, FL. That will cover this standard in addition to 62304 and others. A link to more informaiton about the training is provided above.

The primary focus of this standard is on requirements for the developers of the software product. It is intended to be used alongside IEC 62304 and to cover aspects of the software product that are not covered in IEC 62304, such as accompanying documentation and software validation. This is for Health Software in general not just medical device software.
 
10/21/2016  FDA Multidata Discontinue Use Letter   
FDA issued a letter to Radiation Oncologists, Medical Physicists, Dosimetrists, and Radiation Therapists to discontinue use of devicesfrom Multidata Systems. This company has had a history of issues and has been under consent decree. This letter relates to release of uncleared products. Multidata is the company that was involved in patient deaths in Panama in 2003 which the it was reported that the company claimed it was due to misuse at the time while others asserted risk controls were inadequate. 
10/13/2016  62304 and Medical Device Software Stds Training   
What standards are helpful when creating or updating your software development process? Can compliance with standards benefit a medical device or HealthIT company with regulatory approval and/or FDA inspections? These questions and more will be answered at the upcoming ?62304 training and emerging standards impacting Medical Device software and Health IT training course sponsored by SoftwareCPR(R). Stay one step ahead by learning about the amendment 1 changes to 62304, the upcoming 2nd edition of 62304, and how to frame your software development process around 62304. The course will even address challenges and recommendations for making your agile process 62304 compliant!
But the course is not limited to 62304 training - learn about the Health software standard, 82304, integrating 62366-1 into your SDLC, and the most efficient and appropriate software risk management methodologies.
Don't wait for compliance issues - act now and make sure your company is not caught off-guard and lacking appropriate training. Email brian@SoftwareCPR.com for specific questions .
 
9/16/2016  AAMI TIR 57medical device cybersecurity   
AAMI TIR 57 on medical device cybersecurity risk management will be published in 2016.
Status: The TIR has been recognized by the FDA before it was even been made available for purchase by AAMI. The TIR is now available for purchase
from AAMI.
 
9/16/2016  IEC 82304-1: Health software Final Draft   
A final draft for approval (FDIS) of IEC 82304-1: Health software - Part 1: General requirements for product safety has been circulated. The ballot ends on October 14, and the standard is expected to be published by the end of 2016. This standard applies to software products that do not require specific hardware designed for health use. The primary focus of this standard is on requirements for the developers of the software product. It is intended to be used alongside IEC 62304 and to cover aspects of the software product that are not covered in IEC 62304, such as accompanying documentation and software validation. This is for Health Software in general not just medical device software. 
9/16/2016  SCPR SW Stds Course Discount Registration deadline   
SoftwareCPR early bird discounts have sold out but we are offering a somewhat discounted registration for attendees that register by October 15, 2016. The course will be held Jan 31 - Feb 2, 2017 (Tue - Thu) in Tampa, FL. Alan Kusinitz and Brian Pate of SoftwareCPR will be instructing.

It will focus on 62304 (2015 Amendment) and 80002-1 with some comparison to FDA, but with some overview of new topics related to 82304, 62304 2nd edition planned changes, human factors 62366, and regulation of standalone software.

For more information click on the link provided.
 
9/13/2016  EU Court Software Case   
The National Law Review article at the link attached discusses a case before the EU Court of Justice to decide if medical software that provides support to healthcare professionals in prescribing medicinal products should be considered a medical device. The manufacturer prefers the software to be considered a medical device to avoid what it considers to be more onerous requirements if it is not treated that way. 
9/9/2016  FDA posted several new online training modules   
FDA added a number of new online training modules for medicla device compliance to its CDRHLearn curriculm at the link provided. Some of the new modules foucs on Benefit-Risk evaluation, Global Harmonization, Labeling, and In vitro diagnostics 
9/9/2016  SoftwareCPR September 2016 Newsletter   
This SoftwareCPR.com newsletter in pdf form lists items added to the web site from June 2016 through August 2016. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
9/7/2016  FDA Letter with extension of deadlines UDI   
FDA issued a letter to Device Labelers on Sept. 6, 2016 extending the deadlines for UDI lablel and GUIDID submission requirements for certain Class II products and certain combination products to Sept. 14, 2018. The full letter details the specific device types is at the link provided. 
9/7/2016  FDA/IMDRF Draft--Standalone SWClinical Evaluation   
OBSOLETE - Final Issued December 8, 2017
FDA issued a draft guidance developed as part of the Internation Medical Device Regulators Forum entitled "Software as a Medical Device (SaMD): Clinical Evaluation". This document focuses on how to demonstrate clinical validatity of software as a medical device. Other guidances from FDA and IMDRF address other software aspects such as software validation, premarket submissions, and risk classification among others.
 
8/7/2016  EU_Network Security Directive 2016.   
The European Union has published a Directive concerning measures for a high common level of security of network and information systems across the Union. The directive does not impose any new requirements on manufacturers that are not operators of essential services or digital services. Instead, it relies on existing rules on product liability. 
7/29/2016  FDA Guidance Low Risk General Wellness Devices   
FDA issued a final guidance (draft was issued at the beginning of 2015) entitled "General Wellness: Policy for Low Risk Devices" on July 29, 2016. This guidance essentially exempts low risk wellness products from FDA regulation. It appears to be quite similar to the draft but with some editing and clarifications. These include 3 more examples of categories of low risk wellness devices on pages 4 and 5, changes and additions to questions to ask to determine if the device is low risk and subject to this guidance, clarifies that if the device has a related FDA classification rule this guidance does not apply, adds additional examples of products that are not low risk on page 6, and provides a significantly revised and clarified decision tree in Section VI. 
7/29/2016  FDA Draft Deciding if 510(k) needed for SW change   
OBSOLETE: A final guidance was issued on Oct. 25, 2017
FDA issued a draft guidance entitled "Deciding When to Submit a
510(k) for a Software Change to an Existing Device)" on August 8, 2016. This guidance clarifies for industy how to determine what software changes to a 510(k) cleared device require a new 510(k). Although a draft it seems to reflect what FDA has been applying in the past but now provides a specific reference and more clarity for the decision process. The full guidance is at the link provided. Note that FDA simultaneously released a draft revision to its general guidance for when to submit a new 510(k) for any type of change ot a medical device.
 
7/29/2016  FDA Draft Deciding if a new 510(k) is needed   
OSOLETE: Final Guidance Issues Oct. 25, 2017
FDA issued a draft guidance entitled "Deciding When to Submit a 510(k) for a Change to an Existing Device" on August 8, 2016. This guidancewhen finalized will supersede the prior guidance issued in 1997. The full guidance is at the link provided. Note that FDA simultaneously released a draft guidance for when to submit a new 510(k) for software changes specifically.
 
7/29/2016  FDA Draft Unique Identifier Guidance   
FDA issued a draft guidance entitled "Unique Device Identification System:
Form and Content of the Unique Device Identifier (UDI)" on July 25, 2016. When finalized, this draft document will clarify for industry, FDA-accredited issuing agencies, and FDA staff the requirements under 21 CFR 801.40. "Specifically, this draft guidance defines the expected content and forms of the Unique Device Identifier (UDI), to assist both labelers, as defined under 21 CFR 801.3, and FDA-accredited issuing agencies, as defined under 21 CFR 830.3, to better ensure the UDIs developed under systems for the issuance of UDIs are in compliance with the Unique Device Identification System Rule, 78 FR 58786 (September 24,
2013) (UDI Rule)." The full guidance is at the link provided.
 
7/28/2016  SoftwareCPR expands Cybersecurity Services   
SoftwareCPR® now offers a full service approach to assist your company with pre-market and post-market cybersecurity planning, evaluation, vulnerability and validation services. We combine experience with FDA expectations for analysis and control of cyber vulnerabilities with state-of-the-art and highly sophisticated methods and experience through our expert cybersecurity affilate. We can support small medical device startups to multi-national corporations, low risk to high risk and simple to complex devices. Our approach is risk-based, using risk and threat analysis early in the process to help prevent late-cycle changes that are costly. Our cybersecurity services description is at the link provided. 
7/21/2016  FDA Interoperabilty Initiative Webpage   
  
6/26/2016  EU_Data_Protection_Regulation Web page   
Sherman Eagles fo SoftwareCPR summarizes below. NOTE: There is no grandfathering under the GDPR, so in May 2018 all existing systems must be able to meet these requirements.The European Union General Data Protection Regulation (GDPR) has been published in the Official Journal. The Regulation entered into force in May 2016, and will apply from May 2018 following transposition into national law by the Member States of the EU. This regulation applies to all companies collecting and processing personal data in the EU and does include medical devices. It specifically lists genetic data and biometric data as sensitive personal data. Developers (both medical device and health products that are not regulated as medical devices that collect or process personal data) will be under specific obligations to introduce data protection by design and default into their systems. The GDPR also introduces an obligation to report data breaches to data protection authorities and to affected individuals if the personal data breach is likely to result in a risk to individuals. It also includes the “right to be forgotten” which means that companies will need to be able to erase upon request any personal health data that they collect or process. There is also a “right of data portability” which allows a patient to request their data or request that their data be provided to another provider. 
6/23/2016  EU IVD Trilogue Agreement   
See the item on the MDR Trilogue Agreement for further explanation. The text for the IVD draft is a the link provided here. 
6/23/2016  EU MDR Trilogue Agreement   
This agreement includes a number of clarifications to the EU Medical Device Regulations.Sherman Eagles of SoftwareCPR summarizes some of the key points. The Environment, Public Health and Food Safety (ENVI) Committee of the European Parliament and Council’s Committee of Permanent Representatives (COREPER) voted to endorse the trilogue agreement on June 15. The MDR text draft MDR text iis at the link provided. The text still needs to have legal editing and translation before it will be published in the Official Journal. This is expected around the end of the year and there will be a three year transition so it will be enforced around the beginning of 2020.A couple of things specific to software in the MDR:·
“It is necessary to clarify that software in its own right, when specifically intended by the manufacturer to be used for one or more of the medical purposes set out in the definition of a medical device, is qualified as a medical device, while software for general purposes, even when used in a healthcare setting, or software intended for life-style and well-being application is not a medical device. The qualification of software, either as device or accessory, is independent of its location or type of interconnection between the software and a device.” ·
- One of the risks that must be removed or reduced is “the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts” (Annex I Clause 11.2)
· In the specific requirement for software in Annex I Clause 14.2 the phrase including information security has been added to the list that software must consider and use state of the art principles.
· Software intended to be used with mobile platforms needs to consider specific features of mobile devices.
· A new requirement was added “The manufacturer shall describe minimum requirements on hardware, IT networks characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended.”
· Requirements for software placement for software.
· Classification rules for software as a medical device (Annex VII section III clause 5.2a.). These appear to be taken from the IMDRF SaMD classification rules.
 
6/20/2016  DiabetesTechSociety-DTSec-standard   
The purpose of DTSec is to establish a standard used to provide a high level of assurance that electronic products for the treatment of diabetes deliver the security protections claimed by their developers and required by their users. 
6/20/2016  EU_Data_Protection_Regulation   
This regulation applies to all companies collecting and processing personal data in the EU and does include medical devices. There is NO grandfathering under the GDPR, so in May 2018 all existing systems must be able to meet these requirements.It specifically lists genetic data and biometric data as sensitive personal data. Developers (both medical device and health products that are not regulated as medical devices that collect or process personal data) will be under specific obligations to introduce data protection by design and default into their systems. 
6/17/2016  FDA Draft Guidance Benefit-Risk in Medical Devices   
The US FDA issued a draft guidance entitled: "Factors to Consider Regarding Benefit-Risk in OBSOLETE Draft for histroical refernce only. The FINAL was issued De. 2016 and isavailable on this site in News and Library. Medical Device Product Availability, Compliance, and Enforcement Decisions". This draft defines FDA's approach to evaluate the Risk-Benefit relationship when evaluating information about medical devices The guidance includes examples on how it applies this product availabilty (e.g., recalls and shortage) and also to compliance and enforcement decisions. It also includes a short Appendix on the relationship to ISO 14971 use of similar terms. The remaining appendices appear quite useful as checklists for things to consider and address in internal pre and post market risk evaluations and as a summary of the guidance. 
6/9/2016  SoftwareCPR May2016 Newsletter   
This version of the SoftwareCPR.com newsletter lists items added to the web site from Jan 2016, through May 2016. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
5/18/2016  FDA Guidance IDE Device Medicare Coverage   
The US FDA issued a draft guidance entitled: "FDA Categorization of Investigational Device Exemption (IDE) Devices to Assist the Centers for Medicare and Medicaid Services (CMS) with Coverage Decisions". This draft defines criteria for determination of Class A or B. This is very important for companies where Medicare/Medicaide reimbursement is a factor. The key is wheter FDA considers a device expirmental (where safety and effectiveness is unknown per 42 CFR 405.201(b)) or investigational (where initial questions of safety and effectiveness have been resolved per 42 CFR 405.201(b).). 
5/18/2016  FDA Use of EHR data in Clinical Investigations   
The US FDA issued a draft guidance entitled: "Use of Electronic Health Record Data in Clinical Investigations". This draft adresses a variety of issues including EHRs certified by ONC, data modifications, audit trals, informed consent, and Priveacy and Security. The full draft guidance is at the link provided. 
5/17/2016  FDA Final Postmarket Surveillance Guidance   
The US FDA issued a final guidance entitled: "Postmarket Surveillance Under Section 522 of the Federal Food, Drug, and Cosmetic Act" dated May 16, 2016. The full guidance is at the link provided. .This includes special provisions for devices used on pediatric populations. 
5/7/2016  FCC Digital Health Initiative   
The US Federal Communication Commission has an initiative named
Connect2HealthFCC for its exploring of the intersection of broadband, advanced technology and health and further charting the broadband future of health care – serving as an umbrella for all FCC health-oriented activities. The web page for this initiative is at the link provided. FCC works jointly with other agencies in this arena such as FDA and ONC.
 
4/14/2016  Cybersecuity Article by Sherman Eagles   
Sherman Eagles of SoftwareCPR coauthored an article published by AAMI in its Jan/Feb 2016 BIT Journal entitled "Cybersecurity for Medical Device Manufacturers: Ensuring Safety and Functionality". The full article is at the link provided.

Sherman and other SoftwareCPR experts can assist you with training and consulting related to Cybersecurity and compliance with relate FDA guidance. Leave a message on our webiste or call 781-721-2921 US.
Sherman is well known as an expert in medical device standards and has been involved in many standards activities with IEC, ISO, and AAMI. Sherman also leads our premium Standards Navigator subscription which provides monthly updates on standards work. For more information on this click "Subscripiton Info" on the www.softwarecpr.com" menu bar.
 
4/5/2016  FDA Standards Recogniton List Update April 2016.   
FDA updated their list of Recognized Standards April 4, 2016. The full list is at the link provided. There were several updates related to software standards as listed below. The new edition of IEC 62304 1.1 2015-06 replaces the prior edition. The new 2014-2015 edition of IEEE 11073-20601 Personal Health Data communication replaces the previous 2010 edition.

In additon, there was one new standard recognized related to tsoftware. IEEE 11073-10419:2015 for Personal Health device communication for insulin pumps.

SoftwareCPR experts including those involved in development of IEC 62304 and its first Amendment are available to provide guidance on its implementation as well as training.
 
3/29/2016  CareFusion Pyxis Homeland Security Alert   
On March 29, 2016 the US Department of Homeland Security issued an Advisory regarding the Carefusion Pyxis SupplyStation System Vulnerabilities that would only require an attacker with low skills. It is interesting to note the last of mitigations included in this alert. 
3/22/2016  IEC 62304 Amendment 1 Reminder   
Amendment 1 of" "IEC 62304 Medical device software -- Software Life cycle processes" was issued in 2015. Although the focus of the Amendment was to include a special provision for Legacy software as well as clarifications and changes to Safety Classification, a number of other substantive changes were made.including significant additional requirements for Class A software. Paid Subscribers to SoftwareCPR.com can login and download our revised checklist with changes highlighted from the website Library. As a quick PARTIAL list of the more significant changes:
- Section 4.4 Legacy Software added
- Safety Classification definitions modified to be based on Risk of Harm and after consideraton of Risk Control measures external to SW
- Section 5.1.12 procedure for categorizing defects and demonstraitng they do not result in unnaceptable risk
- Section 5.2.2.j added for IT-network aspects
- Section 5.3.5 requirement to state how to ensure segregation is effective
- Section 5.4.2 and 5.4.3 design for each unit and interface exists with enough detail for implementation
- Section 5.5.2 test procedures evaluated for adequacy
- Section 5.7 All elements now required for Class A software and more detail in 5.7 on test evaluation and records
- Sections 5.8.1, 5.8.2, 5.8.7 and 5.8.8 of Software Release now required for Class A software
- Sections 6.2.1.1, 2 and 3 added "intended use" monitoring and evaluation
- Section 6.2.3 and 6.3.2 now required for Class A software
- Section 7.1.5 and 7.3.2 are deleted removing requirement to document sequences of events as part of risk management.
- Section 9.2.1 changed to require problem reports to include a statement of criticality

SoftwareCPR experts including those involved in development of IEC 62304 and its first Amendment are available to provide guidance on its implementation as well as training.
 
3/16/2016  FDA Inspection Observation Summary for 2015   
FDA issued "2015 Annual FDA Medical Device Quality System Data Inspections, FDA Form 483 Observations, and Warning Letter Citations". The full report is at the link provided.

This report identifies numbers of observations and inspections by country as well as obervations by Quality subsystem. FDA noted that the number of Foreign inspection has increased. Production and Process Controls and CAPA continue to be the most frequently cited.

The most frequent Design Control citiations were Design Validation by a large margin then Design Changes followed by Design Verification with a much lower number related to other elements of Design Control.
 
3/15/2016  US MedTech Act   
In Q2 2015 a bill S.1101 was introduced in the US Senate that would restrict FDA regulation of certain products. It is entitled "Medical Electronic Data Technology Enhancement for Consumers’ Health Act or the MEDTECH Act". The last committee action taken on this bill was on March 9, 2016.

Some interesting aspects of this bill (a bill is only a proposal) inlcude a list of types of software that would be exempt from FDA regulation and a change in how FDA can classify accessories to medical devices. The Congressinal Research Service (CRS) summary is at the link provided.

The FDA must classify a medical device accessory based on its intended function, not based on the classification of the medical device with which it is used.
 
3/8/2016  ISO 13485:2016 Highlights   
Attached is a summary of highlights and rationale, along with some practical implementation tips prepared by Sherman Eagles of SoftwareCPR.

Some of the revisions add items included in FDA's 21 CFR 820 Quality System Regulation such as Design Transfer, validation of automation of quality system activities, detailed records, and others.

As part of our RegulatoryCPR services we can assist you in your gap analysis and interpretation of this new revision. Although many know SoftwareCPR as experts in software related regulation, compliance, and safety, we also have a long track record providing expert consultation, training, and negotiation with regulatory authorities (including FDA enforcement actions) related to Quality System requirements, including international standards, and premarket submissions. Our focus is on efficient compliance and product safety and effectiveness and we can assist you in planning for implementation of this new version of 13485 including applying risk management to its interpretation. For more information contact Alan Kusinitz at 781-721-2921 alan@softwarecpr.com or Brian Pate 813-766-0563 brian@softwarecpr.com .

Sherman is well known as an expert in medical device standards and has been involved in many standards activities with IEC, ISO, and AAMI. Sherman also leads our premium Standards Navigator subscription which provides monthly updates on standards work. For more information on this click "Subscription Info" on the www.softwarecpr.com" menu bar.
 
2/19/2016  UL/AAMI 2800 Medical Device Interoperability   
The Final Draft International Standard was approved at the end of 2015 and will be submitted for publication. The standard is expected to be published by the end of March. A three year transition period has been proposed. 
2/15/2016  SoftwareCPR January 2016 Newsletter PDF   
This pdf version of the SoftwareCPR.com newsletter lists items added to the web site from September 10, through Jan 2016. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
2/10/2016  FDA Draft Display Devices for Diagnostic Radiology   
FDA issued a draft guidance dated 9-Feb-2016 "Display Devices for Diagnostic
Radiology". The guidance is at the link provided. This guidance may cause some confusion since software for medical imaging is outside its scope and described in a much earlier separate guidance. The new guidance focuses on physical display devices but includes the software/firmware embedded in these devices. The guidance indicates these devices are Class II requiring a 510(k) although most simple Medical Image Management software devices do not require 510(k)s based on the other guidance. Appendix B of the new guidance discusses Device modifications and states changes in graphics drivers and calibration software most likely would not require a new 510(k). The guidance also discusses Device Bundling in 510(k) submissions in Appendix C. Section 7 defines specific physical laboratory testing to perform and Section VIII provides extensive specifics and labeling requirements.
 
2/4/2016  FDA Draft PriorityDevices for Human Factors Review   
FDA issued a draft guidance entitled "`List of Highest Priority Devices for Human Factors Review.'' FDA is issuing this draft guidance document in order to inform medical device manufacturers which device types should have human factors data included in premarket
submissions. For device types listed the guidance suggests that information indicated in the new Final HFE/UE guidance be included in the premarket submissions or should provide a detailed rationale that supports the conclusion that human factors data are not necessary. The guiidance also indicates FDA may recommend or require human factors data be included in premarket submissions through other guidance or on a case-by-case request basis by reviewers. It is interesting that the list of device types in this guidance does not include all high risk devices and no radiation emitting or radiation therapy devices are included. The full guidance is at the link provided.
 
2/3/2016  FDA Human Factors & Usability Engineering Guidance   
FDA issued a final guidance entitled "Applying Human Factors and Usability Engineering to Medical Devices". This replaces the 2011 draft guidance.

This guidance does not include software-specific usability design requirements but focuses on overall aspects of human factors and usability in general. Software and computer interfaces are mentioned in several places as important elements to consider. There is also an interesting reference on Page 35 to a 2003 study that identified the number of users needed to find most computer user interface problems.While this may not be directly relevant to identigying medical device usability and safety it probably provides some basis for defending the number of user chosen for usability testing to FDA reviewers.

This guidance defines Use Safety as a specific term in addition to Use Error.

Section 4 discusses HFE (Human Factors Engineering) /UE (Usability Engineering) in relation to medical device risk anlysis and Section 7 discusses Elimination or Reduction of Use-related hazrds.

Section 5. discusses considerations related User Types, User Environments, and User Interface.

Section 6 discusses preliminary analysis and Section 7 discusses Human Factors Validation Testing.Section 6.2 lists a variety of public databases and information to consider when to identify known use-related problems.

Section 8 discusses documentation of HFE/UE.

SoftwareCPR provides expert consulting services in all aspects of Human Factors and Usability Engineering for Medical Devices.

The full guidance is at the link provided.
 
1/26/2016  FDA draft guidance Interoperable Devices   
NOTE: This is for historical reference as a final guidance was issued Sept 2017 and is posted separately.

FDA issued a new draft guidance entitled "Design Considerations and Pre- market Submission Recommendations for Interoperable Medical Devices". This guidance addresses medical devices that exchange information whether wired or wireless including through the internet. It includes unidirectional exchange, bidirectional, or command and control. The guidance focuses on data exchange not physical connection types. It includes a section on information on interoperability to be included in premarket submissions.

Lines 275-297 identify 5 key considerations under 21 CFR 820.

Lines 314-341 identify key design considerations.

Lines 355-368 identify types of anticipated users to consider.

Lines 396-419 provide examples of security and risk management considerations

Lines 445-458 provide examples of V&V considerations.

Section VI of the guidance defines information to be included in premarket submissions and includes describing the API (Application Programming Interface) if the software can be used by other software, medical device or system.

Lines 669 - 676 discuss interfaces intended only for use by the manufacturer's technicians.
 
1/25/2016  FDA Cybersecurity Workshop Materials   
FDA held a 2 day public cybersecurity workshop Jan 20-21,2016. The output from the workshop sessions is at the FDA link provided. THis includes links to the webcasts. 
1/20/2016  SoftwareCPR 2016 Standards Outlook   
Sherman Eagles of SoftwareCPR expects increased standards and regulatory activity related to Software and HealthIT is expected in 2016. Here are some of the areas to watch:
- IEC 82304-1 Health Software: General requirements for safety will be completed during the first half of 2016. It is intended that this standard be harmonized in the EU, but it is not clear when this may happen.
- A first committee draft of the second edition of IEC 62304 will be circulated for review in the first half of 2016. The second edition will expand the scope of the standard to health software.
- New standards for health software covering all parts of the life cycle will be proposed in 2016.
- AAMI will move its work on HIT quality management systems and HIT risk management forward. The goal is to complete these by the end of 2016.
- A revision of IEC 80001-1 will begin in 2016.
- The revision to ISO 13485 will be published in the first half of 2016.
- ISO 14971 is currently under review. It is likely that a revision (amendment or new edition) will be started in 2016.
- A second amendment to IEC 60601-1 will be started in the second half of 2016. This amendment is scheduled to be completed in 2019. A fourth edition of 60601-1 will be started following the completion of the amendment and will be scheduled for completion in 2024. Discussions about the structure of the fourth edition will likely begin in 2017 and decisions made before work is started on the fourth edition.
- The first deliverables from UL/AAMI 2800 on medical device interoperability should be completed in 2016.
- AAMI TIR 57 on medical device cybersecurity risk management will be published in 2016.
- Many documents, both standards and regulations, on security and privacy will be in process during 2016.

Sherman leads our Standards Navigator premium subscription. More information on this is available by clicking Subscription Info on our home bar.
 
1/18/2016  FDA 2015 Cybersecurity Workshop Program Book   
FDA held a public workshop "Collaborative Approaches for Medical Device and Healthcare Cybersecurity" October 21-22, 2014 in partnership with the Department of Homeland Security. The program book issued by FDA after the workshop was held is at the link provided. It contains information on the sessions, objectives, and speaker biographies. Sherman Eagles of SoftwareCPR was one of the speakers. 
1/15/2016  FDA Medical Device Cybersecurity Workshop   
The Food and Drug Administration (FDA) is announcing the following public workshop titled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” to be held Jan 20-21, 2016. FDA, in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services and the Department of Homeland Security, seek to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem.

The purpose of this workshop is to highlight past collaborative efforts, increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development, and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.

For more information click the link provided.
 
1/10/2016  A few Medical Device software trends for 2016   
SoftwareCPR observations on a few Medical Device Software Trends for 2016 from Brian Pate of SoftwareCPR:

1) Desire for more frequent software releases - whether agile or not, the trend continues to move toward quicker response to customer feedback.

2) Fewer walls between different groups within an organization with much more integrated teams.

3) Formal user interface and "user experience”design is much more mainstream now, not just for the few, forward thinking companies.

4) Lean design / agile methods being used is predominant and formalized but iterative approaches abound.

5) Increasing use of tools - so many tools exist to support geographically dispersed teams, electronic documentation and records, automated testing, project management, etc. Concern: Not fully thinking through the use of the tool, process, and record keeping.

6) Greater acceptance of SOUP and OTS components ... but often poor risk management, change control, and verification of these components.
 
1/9/2016  FDA issues 2016 planned guidance list   
FDA issued "CDRH Fiscal Year 2016 (FY 2016) Proposed Guidance Development and Focused Retrospective Review of Final Guidance" at the link provided.

It includes plans to issue a final guidance on General Wellness Products which is often an intended use for software devices including many Mobile Medical Apps and plans to draft guidances on Medical Device Decision Support Software as well as Medical Device Interoperability.
 
1/9/2016  ObsoletFDADraft Postmarket Cybersecurity Guidance   
OBSOLETE draft for historical reference only. Final issued Dec. 2016. Look in News or Library on this site for the final.

FDA issued a draft guidance entitled: "Postmarket Management of Cybersecurity in Medical Devices". This guidance when finalized will augment the FDA guidance related to cybersecurity information in premarket submissions. SoftwareCPR has extensive experience with premarket and postmarket compliance with FDA cybersecurity requirements and expectations and can provide consulting support as needed.

This guidance references a number of presidential Executive Orders related to critical infrastructure and cybersecurity as a driving force for FDA's increased oversight in this area. FDA also specifically recommends that manufacturers exercise "good cyber hygiene" and encourages use of the the NIST document "Framework for Improving Critical Infrastructure Cybersecurity". This document defines elements to include consisting of "identify, protect, detect, respond, recover". Since it is referenced in this guidance it may become important for manufacturers to be able to articulate their cybersecurity approach in these terms to FDA investigators or premarket reviewers or at least map their terminology to these elements.

The document also states that " Irrespective of the originating source, a clear, consistent and reproducible process for intake and handling of vulnerability information should be stablished and implemented by the manufacturer. FDA has recognized ISO/IEC 30111:2013: Information Technology - Security Techniques - Vulnerability Handling Processes" and "should also adopt a corrdinated vulnerability disclosure policy. FDA has recognized
ISO/IEC 29147:2014: Information Technology – Security Techniques - Vulnerability
Disclosure".

There are many terms and concepts in this guidance of interest including:
- the term "compensating conrol" which is essential manual controls.
- exercising good cyber hygeine to lower risk even beyond the acceptable risk limit
- making a binary decision whether the risk after controls is acceptable or unnacceptable
- focusing cybersecurity risk evalaution on "essential clinical performance"
- use of a common vulnerability scorring system for probability as part of an exploitability analysis
- reinforcement of the premarket guidance in that product change to strengthen cybersecruity are considered enhancements that would not normally require new premarket submissions and for PMA products would only need inclusion in the annual reports

Lines 581-590 indicate that vulnerabilities that meet all of the following conditions would not require reporting under the Corrections and Removal or Medical Device reporting rule:
1) There are no known serious adverse events or deaths associated with the vulnerability,
2) Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and
3) The manufacturer is a participating member of an ISAO, such as NH-ISAC;

Excecutive Order 13691 Feb. 13, 2015 encouraged development of Information Sharing
Analysis Organizations (ISAOs) and FDA is exempting Manufacturers from certain things if they participate with an ISAO. An ISAO is essentially an organization for sharing of cybersecruity information with specific liability protections under the law. FDA has entered into a memorandum with one ISAO as indicated on line 121.

If you are not already a paid subscription consider subscribing to receive all of our bulletins, newsletters, and access to education materials on our website including some Q&A with our experts. Click Subscription Info on our home bar for more information.
 
1/4/2016  62304 Amendment 1 Reminder of Changes   
In July 2015 an amendment was issued to IEC 62304. While this amendment was focused on additions for Legacy software and clarifications to the use of risk in safety classification keep in mind that a number of other smaller changes and additions were made. Some of the more significant ones include:

1. Reduction in the exemptions for Class A software (summarized in Appendix A),
2. New section 5.1.12 Identification and avoidance of common software defects which requires planning to include procedures for identifying categories of defects and evidence these defects do not contribute to unnacceptable risk.
3. Sections on detailed design now require specifications detailed enough to ensure proper implementation for Class C software.

A redlined version of all changes made by the amendment can be purchased at the IEC and ANSI websites.
 
12/5/2015  FDA New eCOPY for Medical Device Submissions   
FDA issued "eCopy Program for Medical Device Submissions" guidance dated Dec. 3, 2015. This document is at the link provided and replaced the prior version dated Oct 10, 2013. Electronic copies are required for many types of submissions to FDA. Section 6 Table 1 indicates which submissions require ecopies and how many and which are voluntary. Attachment 1 provides technical standards for ecopies and they are organized PDFs and FDA encourages use of bookmarks and hyperlinks. 
11/19/2015  FDA Medical Device Cybersecurity Public Workshop.   
"The FDA approach to Cybersecurity has been evolving and has involved a lot of collaboration with another Federal agency - NIST - as well as with industry representatives. If you look at the details of the NIST framework, it closely aligns with the FDA guidance, and I expect that to continue. FDA has planned another workshop in January to discuss the 'collaborative approach' where we should expect enlightening discussion of remaining gaps and creative approaches to close those gaps." - SoftwareCPR Partner Stan Hamilton

Public Workshop – Moving Forward: Collaborative Approaches to Medical Device Cybersecurity
January 20-21, 2016 FDA White Oak Campus, Silver Spring, MD

The Food and Drug Administration (FDA) is announcing the following public workshop titled “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.” FDA, in collaboration with the National Health Information Sharing Analysis Center (NH-ISAC), the Department of Health and Human Services and the Department of Homeland Security, seek to bring together diverse stakeholders to discuss complex challenges in medical device cybersecurity that impact the medical device ecosystem.
The purpose of this workshop is to highlight past collaborative efforts, increase awareness of existing maturity models (i.e. frameworks leveraged for benchmarking an organization’s processes) which are used to evaluate cybersecurity status, standards, and tools in development, and to engage the multi-stakeholder community in focused discussions on unresolved gaps and challenges that have hampered progress in advancing medical device cybersecurity.
 
11/19/2015  MMApp used with Drugs   
Although FDA's Device Center tends to exempt many Mobile Medical Apps from regualtion FDA's Drug Center has its own approach. Our current understanding is that mobile apps distributed with drugs are considered part of a combination product in many cases and the Drug Center will review the MMApp information as part of the product approval process. 
11/19/2015  Software Recall Summary 2004-Oct2015   
Based on our searches and posting of software related recalls there appears to be a significant increase of recalls reported to FDA in 2008 and then some reduction but still higher than prior years in 2009.Then a bit lower in 2010 and significantly higher in 2011-2014. It is unclear if this indicates a decrease in safety, an increase in the number of software based devices or the functionality that software controls, or simply an increase in reporting. Yearly total software recalls to the best of our ability to identify were :

Though Oct 2015 - 190 :
2014 - 228 :
2013 - 197 :
2012 - 173
2011 – 177
2010 – 76
2009 – 90
2008 - 132
2007 - 82
2006 - 81
2005 - 66
2004 - 84
 
11/18/2015  FDA Nov 4 Workshop Materials   
Materials from FDA's Nov 4, 2015 industry basics workshop on Purchasing Controls and Process Validation are at the link provided. Software is mentioned in both presentations. 
11/16/2015  IMDRFStandalone SW QMS Guidance   
A new International Medical Device Regulators Forum ( IMDRF) document was finalized. It is Software as a Medical Device (SaMD): Application of Quality Management System. The objective of the document is to provide guidance on the application of existing standardized and generally accepted QMS p ractices to SaMD.
The document is at the link provided or can be downloaded from the IMDRF.org website.
 
11/12/2015  ISTQB Agile Tester Certification   
Paul Felten of SoftwareCPR has successfully passed the ISTQB Agile Tester Certification exam. The ISTQB Agile Tester certification was created to account for new emerging practices and methodology changes in the software testing industry. Based on the foundation level syllabus, this certification ensures that software testers and professional alike have the necessary knowledge and skills to participate in Agile environments. SoftwareCPR has helped many medical device companies using agile development lifecycles achieve compliance while remaining flexible, lean, and efficient. 
11/9/2015  Brian Pate's Twitter Feed   
SoftwareCPR Brian Pate''s twitter feed is at the link provided. He tweets a variety of updates and tips on a regular basis. 
11/9/2015  FDA Accredits UDI Agencies   
"FDA has accredited three organizations as UDI issuing agencies: GS1, Health Industry Business Communications Council (HIBCC), and International Council for Commonality in Blood Banking Automation (ICCBBA). This document contains information and links related to the format of the unique device identifier (UDI) for each FDA-accredited issuing agency. Each FDA-accredited issuing agency has a unique UDI format that has been approved by FDA during the initial accreditation process. Any changes to the format of the UDI by an issuing agency must be approved by FDA before implementation. Please contact the issuing agency directly to obtain a UDI and for any additional questions regarding the creation or implementation of the formats." The full document from FDA is at the link provided. 
10/19/2015  FDA Physiological Closed Loop Workshop   
FDA held a public workshop October 13-14, 2015 entitled "Public Workshop - Physiological Closed-Loop Controlled Devices".Webcasts and other outputs from this workshop are avaialbel at the link provided. 
10/11/2015  AAMI TIR57 Medical Device Security Risk Std Update   
A committee draft for vote has been circulated for the AAMI TIR 57 Principles for medical device information security risk management ? Risk management.
The objective of this TIR is to provide guidance on how medical device manufacturers can manage risks from security threats that could impact the confidentiality, integrity, and/or availability of the device or the information processed by the device. Because medical device manufacturers are already familiar with ANSI/AAMI/ISO 14971:2007, this guidance follows the basic structure of that standard. AAMI has issued a draft ofr vote by participating members.
 
10/11/2015  ONC 2015 IT Certification Criteria   
ONC. 2015 Edition Health IT Certification Criteria intended to increase interoperability. On October 6, the Office of the National Coordinator for Health IT (ONC) published the final rule for the 2015 Edition Health IT Certification Criteria intended to increase interoperability - a secure but seamless flow of electronic health information - and improve transparency and competition in the health IT marketplace. On the same date, the Centers for Medicare and Medicaid Services (CMS) published a final rule that specifies the requirements that eligible providers and hospitals must meet to qualify for Electronic Health Record (EHR) incentive payments and solicits feedback about the Electronic Health Record (EHR) Incentive Programs going forward.

Incorporation of UDIs into electronic health information is a critical cornerstone of the FDA's plan to strengthen our National Medical Device Postmarket Surveillance system. Although full implementation of the unique device identification system will take several years, the inclusion of UDIs for implantable devices as part of EHR certification criteria and the CCDS are pivotal to developing the infrastructure needed to incorporate standard, structured device information into Health IT.
 
9/23/2015  FBI Cybersecurity Warning for Medical Devices   
The FBI issued a Public Service Announcement on the Internet of Things that includes ""Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines. Once criminals have breached such devices, they have access to any personal or medical information stored on the devices and can possibly change the coding controlling the dispensing of medicines or health data collection. These devices may be at risk if they are capable of long-range connectivity." "Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;" 
9/20/2015  FDA CDRH Learn HealthIT and Cybersecurity Modules   
FDA maintains a webpage for its eductational modules referred to as CDRHLearn at the link provided. Clicking on Specialty Technical Topics on that page opens a list with a section for IT and Software that includes 3 modules on Digital Health, Cybersecurity information in premarket submissions and CDRH regulated software. 
9/10/2015  SoftwareCPR September 2015 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site from June 2015 to September 10, 2015. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
9/8/2015  Toxic gene guidance software information   
On August 27, 2015 FDA issued a guidance titled "Class II Special Controls Guideline Document: Toxin Gene Amplification Assays for the Detection of Clostridium difficile". This guidance refers to software information required in a premarket submission. In addition to repeating information inthe general software submission guidance it indicates most IVDs of this type are moderate level of concern but the level of concern should be determined prior to mitigation. It also states "You must clearly describe how raw signals are converted into a result including adjustment to the background signal for normalization, if applicable." It also states "Before beginning clinical studies, the configuration of the hardware and software components must be very similar or identical to the final version of the device. A risk assessment must be performed if any significant changes are made to the hardware or software after the completion of the clinical studies and before the clearance and distribution of the device.". 
9/2/2015  AAMI Agile Methods Compliance Course   
Brian Pate, Partner with SoftwareCPR, will be teaching the "Effective Application of Agile Practices in the Development of Medical Device Software" in Arlington, VA, October 6 - 7, 2015. This course will help participants understand the challenges of using agile methods while conforming to IEC 62304 and 21 CFR 820.30 design controls. For more information, just email Brian at brian@softwareCPR.com or leave a message at the link provided.

SoftwareCPR can also provide more tailored training at your facility in these very important areas:

ISO 14971 Risk Management
IEC 62304 Software Development Processes including Agile Methods
IEC 62366 Usability and Human Factors Engineering with Risk Focus
ISO 13485 Quality Management Systems

Our onsite courses can be provided in a general approach to teach the standards or tailored to your products and risk levels. Each course can be offered in 1, 2, or 3 day formats depending on the number of exercises provided. All our courses can typically be used to satisfy your training requirements. For more information, just email Brian at brian@softwareCPR.com.
 
8/19/2015  FDA Quarterly MDR Reporting Pilot Program   
FDA is initiating a pilot program that would allow quarterly reporting of MDRs for certain Class I and Class II devices in situation that do not reult in death or serious injury or a correction is not needed to prevent this. Companies can apply to participate in this pilot as indicated in the FDA announcement at the link provided. 
8/14/2015  FDA Premarket Exemptions August 2015   
FDA issued the document "Intent to Exempt Certain Unclassified, Class II, and Class I Reserved Medical Devices from Premarket Notification Requirements". The exemptions cover a many types of devices. The document is at the link provided. 
8/14/2015  Health IT Medication Overdose Article   
Interesting write up: "How Medical Tech Gave a Patient a Massive Overdose". At the link provided. 
8/14/2015  OBSOLETFDA New Refuse to Accept Policy for 510(k)s   
OBSOETE. A new new version was published in 2018 and is available in News and Library on our site. FDA issued the document "Refuse to Accept Policy for 510(k)s" The document supersedes the now obsoloete 2012 guidance and is at the link provided. Software is mentioned 32 times and Section H provides specific software items as part of the RTA checklist. 
7/31/2015  FDA cybersecurity Safety Communication - Hospira   
FDA issued a safety communication to Health care facilities using the Hospira Symbiq Infusion System regarding cybersecurity vulnerabilities. FDA is advising facilities to seek alternative infusion systems. In the iterim it is recommended the systems be disconnected from networks and maintain the drug libraries by updating manually along with other recommendations. 
7/31/2015  NIST Healthcare Cybersecurity Framework   
The National Institute of Science of Technology issued Version 1 of its framework for improving cybersecurity for critical infrastructure including health care. The full press release is at the link provided. 
7/30/2015  FTC fines MMApp with Medical Claims   
The Federal Trade Commission is taking enforcement actions agains Mobile Apps that make unsubstantiated, non FDA cleared medical claims. One of the FTC postings on this is at the link provided. 
7/13/2015  IEC 62304 first amendment published   
The first amendment to IEC 62304 amendment has been published as edition 1.1,You can purchase just the amendment telling you what is changed or a consolidated redline version. It is currently available from on ansi.org or iec.ch. . AAMI will publish it in the near future and it may be expensive to purchase from AAMI. Edition 1.1This amendment mainly focuses on clarifying safety classification to allow consideration of factors external to software that reduce the risk of harm to potentially lower the safety class, and on stating alternative requirements for conformance for legacy software.It aslo clarifies scope of application of 62304 to software executed on a processor. This excludes various types of electronics that may have complex but hard coded logic. Note that although outside the 62304 scope it is up to Notified Bodies to determine what is required by the medical device directives. This amendment is expected to replace edition 1 as an EU harmonized standard, but there is no timetable for this at present. 
7/13/2015  NEMA Medical Image Management SW Guidance   
? The National Electrical Manufacturers Association (NEMA) has published a guidance document on supply chain best practices for electrical equipment and medical imaging manufacturers to minimize the possibility that bugs, malware, viruses, or other exploits can be used to negatively impact product operation. The document is a representation of identified best practices that vendors can implement as they develop, manufacture, and deliver products as part of the supply chain. The document addresses supply chain integrity through four phases of the product life cycle: manufacturing and assembly, tamper-proofing, security development life cycle, and decommissioning/revocation. Although directed at Medical Image Management products some of the content could be of vaule to consider for other types of medical device software. The NEMA guidance document is available at the link provided. 
7/6/2015  SW security Common Weakness Enumeration   
The CWE can be a useful reference to use when performing medical device software risk management and security vulnerability analysis. The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design, or system architecture. Each individual CWE represents a single vulnerability type. CWE is currently maintained by the MITRE Corporation with support from the National Cyber Security Division (DHS). A detailed CWE list is currently available at the MITRE website; this list provides a detailed definition for each individual CWE. 
7/5/2015  Australian TGA Presentation on SW Regulation   
In August 2014 the Australian Therapeutic Goods Authoirty (TGA) gave a presentation on its approach to software regulation of medical devices. This is a short and very clear high level presentation that explains the TGA's focus and use of relevant standards such as 62304 as well as its focus on safety and risk management. The slides fromt he presentation are at the link provided. 
6/9/2015  SoftwareCPR June 2015 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site from February 2015 to June 9, 2015. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
5/25/2015  62304 Amendment Status May 2015   
The ballot on the final draft of the IEC 62304 amendment which focuses on safety classification and legacy software closes in May.We expect publication by July, followed by a consolidated version that incorporates the amendment. Adoption by CENELEC as an EN is happening concurrently, so harmonization by the EU should happen late this year or early next year. 
5/25/2015  IMDRF Standalone Medical Device SW Draft   
The International Medical Device Regulators Forum (IMDRF) SaMD draft of a quality system for Software as a Medical Device is available for public comment on the IMDRF website at the link provided. 
5/13/2015  FDA MedWatch Infusion Pump Cybersecurity Alert   
FDA issued a medwatch alert May 13, 2015 regarding security vulnerabilities in Hospira's LifeCare PCA3 and PCA5 Infusion Pump Systems.A researcher has shown that exploiting the vulnerabilies could allow an unauthorized user to remotely modify the dosage delivered. Homeland security was previously working with Hospira about this vulnerability. The full MedWatch noice is at the link provided. 
4/30/2015  Infusion Pump Security Vulnerability   
Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. The department of Homeland Security has been working with Hospira to get this resolved and Hospira will be performing a recall to correct this. 
4/14/2015  SoftwareCPR Automated Testing partnership   
SoftwareCPR® is pleased to announce their silver service partnership with Ranorex®, an excellent test automation tool and company. As a silver partner, SoftwareCPR® is recognized as having the quality and experience needed for developing automated tests using Ranorex®, both in regulated and non-regulated environments.

SoftwareCPR® recognizes that the quality, cost, and functionality of Ranorex® automation is rarely matched by other test automation tools, and have pursued a partnership to benefit our client test automation with lower costs through faster development, and to promote increased regression with greater coverage and robustness of tests.

For hands-on Ranorex® development, training, or other inquiries related to Ranorex® test automation, or to see how test automation can benefit medical devices, contact Brian Pate at Brian@SoftwareCPR.com. Let our Ranorex® Certified Professional Validation Specialists jump-start test automation for your medical device software.
 
4/13/2015  Best Practices in Risk Management Terminology   
AAMI published an article entitled: "Best Practices in Applying Medical Device Risk Management Terminology" in its Spring 2015 Horizons publication. Alan Kusinitz, Founder of SoftwareCPR, co-authored this article and a reprint is provided with the permission of AAMI at the link provided. This is for your personal reference not for wider distribution due to the AAMI copyright. 
4/8/2015  ECRI 2015 Patient Safety Concerns   
ECRI has released their top 10 Patient Safety Concerns for 2015. Second on the list is "Data Integrity: Incorrect or missing data in EHRs and other HealthIT systems". While we are not surprised to see this area of patient safety risk on the list, SoftwareCPR believes that many of these data integrity hazards could easily be eliminated or risk reduced through simple to implement active risk controls designed into the software during development. Simply arguing that Design Controls and risk management requirements will "slow down" the development of HealthIT, is a poor excuse for not adding simple data integrity checks and defensive coding practices. IEC/TR 80001-2 (or AAMI TIR32) is an excellent resource to help your team identify these hazards and provides common risk control methods. SoftwareCPR experts can perform data integrity assessments or help you define effective data integrity risk control control measures as part of your design and risk management.

The ECRI webpage with the full list is at the link provided.
 
4/8/2015  HumanFactorsCPR Consulting Services   
Crisis Prevention and Recovery, LLC (CPR) is excited to announce the formation of a new business speciality, HumanFactorsCPR. HumanFactorsCPR is the fourth business speciality under the CPR brand, joining SoftwareCPR, ValidationCPR, and RegulatoryCPR.

"One of the most attractive features of our new HumanFactorsCPR services is our capability to bridge the risk analysis process with the usability engineering process and expert human factors-based design and testing", states Alan Kusinitz. "We have always been known for our unique expertise with risk management, but nowwith addition of a human factors expert, we can carry the process forward for our clients with planning and management of formative and summative studies to evaluate the effectiveness of the risk controls."

HumanFactorsCPR can help medical device and HealthIT companies plan an effective usability engineering program to comply with IEC 62366 and FDA guidance for human factors content in regulatory submissions. For more information,email brian@HumanFactorsCPR.com.
 
3/31/2015  Joint Commission Free online course on HealthIT   
The Joint Commission, the nation's largest accreditation organization for hospitals offers a free one hour online course entitled "Investigating and Preventing Health Information Technology-Related Patient Safety Events" at the link provided. 
3/31/2015  Joint Commission Issues Alert on Health IT   
The Joint Commission, the nation's largest accreditation organization for hospitals, Issued a Sentinel Alert on Health IT. The full alert is at the link provided. 
3/20/2015  ONC Prepub Proposed 2015 HIT certification Reqs   
The draft of the US ONC proposed 2015 HealthIT ceritfication requirements rule is at the link provided. The final will be published March 30, 2015. This new version requires use of a quality system and states:

"....QMS established by the federal government and SDOs include FDA's quality system regulation in 21 CFR part 820, ISO 9001, ISO 14971, ISO 13485, and IEC 62304. We encourage health IT developers to choose an established QMS, but developers are not required to do so, and may use either a modified version of an established QMS, or an entirely ??home grown?? QMS. In cases where a health IT developer does not use a QMS established by the federal government or an SDO, the health IT developers must illustrate how their QMS maps to one or more QMS established by the federal government or SDO through documentation and explanation that links the components of their QMS to an established QMS and identifies any gaps in their QMS as compared to an established QMS. We clarify that we have no expectation that there will be detailed documentation of historical QMS or their absence. The documentation of the current status of QMS in a health IT development organization would be sufficient."

The actual proposed regulation is at the bottom of the document. The beginning is the discussion.
 
3/4/2015  AAMI TIR 80001-2-5 Distributed Alarm Systems   
ANSI/AAMI/IEC TIR80001-2-5:2014 "Application of risk management for IT-networks incorporating medical devices ? Part 2-5: Application guidance ? Guidance on distributed alarm systems" has been published. Sherman Eagles of SoftwareCPR was a co-chair for this. 
3/2/2015  Risk Management for Forseeable Misuse   
Stan Hamilton and Brian Pate of SoftwareCPR offer the following tip.

As risk managers, we often struggle to draw the line for inclusion of foreseeable misuse. We ask questions like what is credible, and how far must you go? When performing risk analysis, we decide if it is credible enough to list as a hazard cause, and to consider adding risk controls. In the case of a recent recall, it causes one to consider those difficult risk management decisions. Would it have been better to be more conservative and add another software risk control for a particular case of misuse? A dangerous modification was made by third party personnel. The unit was able to continue functioning with active energy, and led to an adverse event.

Of course, from the outside looking in, it is only speculation. It does remind us (and we often encourage clients) to add risk controls, even if the initial risk evaluation is extremely low, if they are relatively easy to add. Often, the engineers, if aware early enough in the process, will say that risk controls are easy to add and have very little impact on unit cost or development schedules. So integrate risk management planning very early in your design process and don't hesitate to add simple risk controls even if you consider the likelihood of the misuse to be low."
 
2/28/2015  FDA Slides and transcript General Wellness   
On Feb 24, 2015 FDA held a webinar entitled: "Overview of Medical Device Data Systems, General Wellness Devices, and Medical Device Accessories". The slides and transcript are at the link proivded. 
2/28/2015  SoftwareCPR.com February 2014 Newsletter PDF   
This SoftwareCPR.com newsletter lists items added to the web site from October 2014 to February 2015. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
2/13/2015  IMDRF Documents Webpage   
The International Medical Device Regulators Forum (IMDRF) in which FDA participates continues to publish many documents including several related to software. The full document list is at the link provided. 
2/9/2015  FDA Revised Mobile Medical App Guidance Feb 2015   
FDA issued a revision to its "Mobile Medical Applications" Guidance Feb 9, 2015. The revision was to make this guidance consistent with the final "Medical Image Storage Devices, and Medical Image Communications Devices" guidance. Specific changes are FDA's exercising of enforcement discretion to exempt MDDS and some Mobile Medical Apps from compliance the FDA regualtion. Section V.B identifies types of MMapps for which FDA would not enforce requirements. Appendix A gives exampels of MMApps that are not considered medical devices and Appendix B gives example of MMApps that may be medical device but for whch FDA is exercising its enforcement discretion and not enforcing compliance. 
2/6/2015  FDA Final MDDS Guidance   
FDA issued a final version of its guidance for "Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices". The docuemnt is dated Feb 9, 2015 although it was issued several days prior.. This guidance is very significant as it states FDA is exercising discretion and not requiring compliance to the recent regulation for MDDS and goes further to indicate this also applies to Medical Image Management Communication and Storage Devices.. The excerpt indicated this is repeated below and the full guidance is at the link provided.

"This means that for devices that meet the definitions in the regulations listed above, the FDA does not intend to enforce compliance with the regulatory controls, including registration and listing, premarket review, postmarket reporting, and quality system regulation for manufacturers of these types of devices."
 
2/6/2015  HealthIT Office of National Coordinator Calender   
The Federal Advisory Committee calendar of meetings is at the link provided. Attendance or dowloading of material for most of these meetings is open to the public. 
2/6/2015  HealthIT ONC Quality System Standard Presentation   
HIT Implementation, Usability and Safety Workgroup Meeting
Friday, February 6, 2015 - SoftwareCPR Partners Sherman Eagles and Alan Kusinitz gave a presentation at ONC's request with recommendations on an approach to HealthIT provider quality systems regulationa and standards. In addition to providing background on quality systems SoftwareCPR recommended that a standard or guidance be written with representation from HealthIT vendors, Users and Regulators under the auspices of AAMI.and that it be written using IT/software terminology without direct inclusion of medical device software or quality system standard but with flexibility to allow organizations that have implemnted systems using these standard or other general software/IT quality standards or methodologies to continue their approach. A copy of the SoftwareCPR slides are attached.
 
2/4/2015  Standards Navigator January Report   
SoftwareCPR's premium Standards Navigator subscription includes monthly reports from Sherman Eagles. An example report from January 2015 is at the link provided. If you have any interest in learning more about this subscription leave us a message on this website or call 781-721-2921. 
2/2/2015  AAMI HITQuality Management Principles   
AAMI has filed a Project Initiation Notice with ANSI for a new standard on Application of Quality Management Principles and Practices to Health IT. The notice was published in the ANSI Standards Action publication on January 23. The notice is reproduced below.

BSR/AAMI HIT2000-201x, Application of Quality Management Principles and Practices to Health IT (new standard)

Stakeholders: Health IT producers, vendors, and manufacturers; healthcare providers; healthcare IT professionals; patient advocacy organizations; government representatives; and health-IT associations.

Project Need: There is need for the application of QMS principles and practices for health software and other HIT products that pose only moderate risk to patients and that are not regulated as medical devices. HIT products differ from medical device software in that HIT complexity comes primarily from the domain content, has a very different product life cycle and tends to evolve over the life of the product. Therefore, a QMS for such HIT needs to emphasize different quality management principles.

This standard will detail the application of Quality Management System (QMS) principles and practices for health IT software to improve patient safety.
 
1/31/2015  IEC TR 62366 Usability Engineering Guidance   
A committee draft (CD) of IEC TR 62366-2: Medical devices - Part 2: Guidance on the application of usability engineering to medical devices was issued for comment. This technical report provides medical device manufacturers with guidance on how to integrate usability engineering (also called human factors engineering) principles and user interface design practices into their overall medical device development processes. it focuses not only on usability as it relates to safety, but also on how usability relates to attributes such as task accuracy, completeness and efficiency, and user satisfaction. This is a companion document to IEC 62366-1 which is currently out for final (FDIS) ballot. 
1/27/2015  FDA Adds Recognition for Several SW/HIT standards   
FDA added the following standards to their recognized standards list and published the new recognitions January 2015.

IEC TR 80001-2-5 2014. Application of risk management for IT networks incorporating medical devices--Part 2-5: Application guidance--Guidance on distributed alarm systems.

IEEE Std 11073-10425- Health informatics 2014. Personal health device comunication, Part 10425: Device Specialization--Continuous Glucose Monitor (CGM).

LOINC 2.48 2014-06-27.Logical Observation Identifiers Names and Codes (LOINC).
 
1/20/2015  FDA General Wellness Product Policy Draft   
This draft was replaced by a final guidance in August 2016. It is provided here for historical comparison only.
FDA issued a draft "General Wellness: Policy for Low Risk Devices" Guidance Jan 20, 2015.This draft policy continues to redefine the borderline for FDA regulation/non regulation of Health IT along with their MDDS and MMApps guidances. The decision algorithm is of particular interest espectially if one gets to question 2.
 
1/18/2015  NIST Cybersecurity Framework Guidance   
The U.S. National Institue of Standards and Technology issued a document entitled "Framework for Improving Critical Infrastructure Cybersecurity" dated February 12, 2014. This documented is now being used by FDA as a reference in its cybersecurity program and is at the link provided. 
1/14/2015  AAMI HIT Risk Management Standard   
AAMI has filed a Project Initiation Notice with ANSI for a new standard on HIT risk management. The notice was published in the ANSI Standards Action publication on December 19. The notice is reproduced below.

BSR/AAMI HIT1000-201x, Risk Management for Heath-IT (new standard)
Stakeholders: The primary stakeholders are health IT producers and manufacturers, healthcare providers, HIT experts from healthcare delivery, and other healthcare IT professionals. Other stakeholders would include patient advocacy organizations, government representatives and health-IT associations.

Project Need: The need for a risk-based framework to help deliver consistent, high-quality clinical health IT and to ensure its safe implementation and use has been identified by various organizations and government agencies Clinical software systems health IT is creating risk for a myriad of reasons across product life cycle. The safe functioning of health IT is highly dependent on a common understanding of each point in the life cycle by all vendors and providers of care. A standardized risk-management process for clinical software systems health IT will promote safety while avoiding the burdensome impact of stringent regulation. For this reason, such a risk management process must include all stakeholders involved in the creation, implementation and use of this type of health IT.

This standard will provide a process for managing risks to patients posed by clinical systems health IT. The roles and responsibilities of those involved in creating, implementing, and using health IT will be defined. Methods for identifying and quantifying risks will be outlined and guidance will be provided for establishing mitigation strategies.
 
1/5/2015  AAMI BIT A. Kusinitz Interview   
AAMI interviewed Alan Kusinitz Managing Partner of SoftwareCPR as part of its series "10 Question with...". A reprint is at the link provided. 
12/31/2014  FDA Radiation BioDosimetry Device Draft   
FDA issued a draft guidance "Radiation Biodosimetry Devices" dated Dec. 30, 2014. This guidance focuses on performance data and algorithm feature selection as well as labeling. Section V.G. idnicates electronic data submisiioon is encouraged but should include the programs used to genereate results should be incliuded in a way that can be easilty transferred into statitistical software. Section C.8 Instrumentation and Software simply references FDA's general software submissions guidances. 
12/23/2014  FDA 510(k) Transfer Draft Guidance   
FDA issued a draft guidance Transfer of a Premarket Notification (510(k)) Clearance Questions and Answers" dated Dec. 22, 2014. This guidance explicitly states that when a device is sold or transferred to another party FDA does not expect submission of a new 510(k). Now that 510(k) numbers are included in Device listings and required to be updated information FDA will now use this information to indicate the current holder of the device 510(k) and can be updated by manufacturers as needed and if needed outside the annual filing no additional fee is required.

It also states: "Because contract manufacturers and sterilizers, foreign exporters, and foreign private label distributors are not responsible for the commercial distribution of devices, they would not be 510(k) holders, and should list the product under their customer?s 510(k) number once it has been listed by the 510(k) holder."

If more than one entity claims the same 510(k) within the same annual update period the most recent update is used by the database. FDA will contact the parties to determine the rightful owner.
 
12/21/2014  November Standards Navigator Report   
Subscribers to our premium Standards Navigator Subscription receive monthly reports with updates on evolving medical device, software, and HIT standards and access to draft standards out for comment or vote. To see our November report click the link provided. Sherman Eagles of SoftwareCPR leads this service. 
12/18/2014  HHS to investigate medical device security   
he U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) indicated that it would be investigating security of medical devices in hospitals during fiscal year (FY) 2015. The following statement is from the OIG FY 2015 work plan.

"We will examine whether CMS oversight of hospitals? security controls over networked medical devices is sufficient to effectively protect associated electronic protected health information (ePHI) and ensure beneficiary safety. Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs) and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient?s medical status and transmit and receive related data using wired or wireless communications. To participate in Medicare, providers such as hospitals are required to secure medical records and patient information, including ePHI. (42 CFR § 482.24(b).) Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device. (OAS; W-00-15-42020; various reviews; expected issue date: FY 2015)"
 
12/4/2014  FDA Final Infusion Pump Guidance   
FDA issued a final guidance "Infusion Pumps Total Product Life Cycle" dated Dec. 2, 2014 after its draft draft of this document issued April 23, 2010.. This supersedes the original "Guidance on the Content of Premarket Notification [510(k)] Submissions for External Infusion Pumps" issued March, 1993. This guidance mentions the word software 31 times and safety assurance case 15 times. It specifically states that the infusion pump system includes the network (i.e, any device or system physically or wirelessly connected to the infusion pump) and explicitly requests communications and network information in premarket submissions.

It also states that the following should be provided as part of the software design informaiton: A drug library or other dose error reduction mechanism; A real time clock (RTC), On-board memory, Pump log Alarm handler; and Watch dog timer.

The guidance states 3 elements of safety cases: Claims, Arguments, Evidence and provides general guidance but states the format and methodology are flexible but should be well explained. It also states that FDA uses post market data in its review of safety cases to confirm their vaildity.

Section 5b lists 4 hazards to be addressed in the safety case: Delivery Error, Incorrect Therapy, Contamination, Traumatic Injury. It goes on to list categories of hazards and specific causes to be considered.

In the software safety section of the guidance refers to the general FDA software submission guidance, the premarket cybersecurity guidance, and the one for Off-the-shelf software this guidance and then specifically requests static analysis of the software and extensive details required for each unresolved anomaly in terms of root cause analysis, analysis for similar bugs, and details on how to fix the anomlous code.
 
11/21/2014  Device Software Development Report   
Seapine Software (seapine.com) which provides a variety of development tools published its 2014 report on the state of software development for medical devices. This report was generated based on input from 500 individuals in the medical device industry. It contains a breakdown of risk management methods used, key documentation challenges, requirements management approaches used, test management, traceability, and use of Agile methods. The report is at the link provided. 
11/12/2014  FDA Instrument with combined functions guidance   
FDA's Office of In Vitro Diagnoitics issued a final guidance November 12, 2014 entitled "Molecular Diagnostic Instruments with Combined Functions". It discusses the distinction between functionality being submitted to FDA for approval/clearance versus functionality that would not be regulated as a medical device. In addition to general information it contains some new specifics on dealing with software (embedded or standalone) where some of the software in the instrument is for regulated functions and some is not. It discusses the need for design controls and labeling to ensure safety and effectiveness when including combined functions.

Section V.1 recommends that regulated software be separated from other software possibly using dual boot design. Section V.3 talks about software related human factors such as greying out unapproved/uncleared functionality when in regulated mode. Section V.5 recommends that FDA be notificated of any changes to software (regulated or unregulated) that could affect the regulated functionality.
 
11/4/2014  FDA cybersecurity webinar report   
Sherman Eagles of SoftwareCPR provides the folowing summary of some key points from FDAs webinar on their premarket cybersecurity guidance on October 29.

In the webinar FDA they noted that the Instructions for Use should include what cybersecurity controls are needed in the use environment, but stated that it is not sufficient for a device to rely on a network being secure. The device manufacturer should identify the cybersecurity functions they have included in their device. Some of the core functions include:
o Limiting access to trusted users by using layered privileges, appropriate authenticity, and strong passwords.
o Protecting users and data by terminating sessions after a period of inactivity, setting up physical locks, and limiting access ports.
o Detecting, responding and recovering by implementing features that tell a user if the device has been compromised, provide information on what to do when it occurs, implement features to preserve critical functions with the ability to reboot and recognize drivers, and provide methods for retention and recovery of device configuration.

They also expect to see a hazard analysis program that clearly evaluates risk potential, provides information on control put in place and the appropriateness of those controls to mitigate an identified risk, and a matrix that links cybersecurity controls to the risk being mitigated. Since the threat landscape will be continually evolving, they also want to see a plan for how the manufacturer will manage evolving threats. In response to a question, they indicated that updates for cybersecurity needed to manage new threats do not require a new premarket submission. Other questions brought out these points:
o Cybersecurity information is required for all submissions after October 1, 2014
o Risk to the system as a whole must be acceptable
o Mobile apps intended to control a device would need to consider cybersecurity
o Cybersecurity should be considered for any programmable logic ? that is hardware functionality that can be re-programmed
o There is no requirement for minimum strength of encryption, but they expect a rationale from the manufacturer for the encryption chosen
o A software device delivered from the cloud should consider environment and analyze it for cybersecurity risks
o Labeling could be used to mitigate cybersecurity risks if it clearly informs the user of the needed mitigations
 
11/1/2014  FDA cybersecurity public workshop   
The FDA held a two day public workshop on Collaborative Approaches for Medical Device and Healthcare Cybersecurity on October 21-22. Documentation on the workshop including the video recording of the workshop can be oundat the link provided. 
10/31/2014  SoftwareCPR enhanced V diagram   
A V diagram is commonly used to depict development activities (left side) and their V&V activities (right side). SoftwareCPR uses a variety of such diagrams in its trainng courses. Brian Pate of SoftwareCPR enhanced these diagrams in a variety of ways and the latest version is at the link provided. It depicts design control elements, software activities and high level relationships. Note that this is a heuristic aide and simplified to some degree. It is often desirable to allow for more complex relationships such as allowing lower levels of test to satisfy some high level verification requirements and higher levels of test to satisfy lower level verification requirements where possible and appropriate.

SoftwareCPR provides a variety of design control and software development planning, triaining and hands-on V&V services to help you ensure safety and compliance. Brian has provided training in-house at FDA and was on the standards committee for AAMI TIR45 Guidance on the use of AGILE practices in the development of medical device software.
 
10/27/2014  FDA IVD device level of concern   
NOTE that the software section 5c may be of at least some heuristic relevance to other types of devices in some ways.

The FDA issued a gudance entitled Class II Special Controls Guideline: Nucleic Acid-Based In Vitro Diagnostic Devices for the Detection of Mycobacterium tuberculosis Complex and Genetic Mutations Associated with Mycobacterium tuberculosis Complex Antibiotic Resistance in Respiratory Specimens" dated 22-Oct-2014.

Section 5c of this guidance addresses software. In addition to referring to the general software guidance it specifically requests a clear description of how raw signals are converted into a result. It also has a lengthy discussion of level of concern. Although in section 4 it states the device can provide false negative results for tuberculosis allowing for disease progression and transmission to others. In Secton 5c it stress Level of concern must be determined without considering mitigation and then says software would normally be considered moderate for this type of device but you must determine the actual level of concern from your hazard analysis.

Section 5c also states that "If any significant changes are made to the hardware or software after the completion of the clinical studies but before the clearance and distribution of the device, you must perform a risk assessment and include it in your 510(k) submission."

Section 5c then provides a list of references that may be helpful but note that the reference to AAMI SW68 is probably obsolete and was unitentional as the current medical device software lifecyle standard is EN/AAMI/IEC 62304.
 
10/26/2014  FDA De Novo Summaries and Submissions   
FDA CDRH maintains a webpage for De Novo Summaries. This is for devices that are novel but low to moderate risk ((not ideal for 510(k)s and PMA would be overly burdensome). There are now two options for de novo classification. One is in response to an Not Substantially Equivlaent (NSE decision) in FDA in response to a 510(k) submissions (this used to be the only option). The second is if there is no suitable predicate device a de novo request could be submitted first without a 510(k) for FDA to make a risk based classification. The FDA webpage is at the link provided. Looking at current and past determiniations can be helpful when evaluating a device for suitability for a de novo. 
10/21/2014  Agile Methods Planning Recommendations   
It is well established that design and development planning is a critical component of developing safe and effective medical device software. Planning ensures that the design process is appropriately controlled and that the quality objectives are met.

However, when medical device companies adopt agile methods for software development, the planning process can be confusing and challenging. Many aspects differ with traditional waterfall approaches and the development and QA managers struggle with knowing how much planning is required.

The document at the link provided is a brief overview on this subject along with several recommendation by Brian Pate of SoftwareCPR.
 
10/19/2014  FDA Draft Guidance Flow Cytometry Devices   
The FDA issued a draft gudance entitled "Flow Cytometric Devices" dated 14-Oct-2014. Section 5 of this guidance addresses softwrae used in the device and discusses regualtory clearance with the associated reagents and instrumentation as well as other information needed. The full guidance is at the link provided and was issues jointly by the Office of In Vitro Diagnositcs Division of Immunology and Hematology and the Center for Biologics Evaluation and Research. 
10/19/2014  FDA Guidance Recalls versus Enhancements   
The FDA issued a gudance entitled "Distinguishing Medical Device Recalls from Medical Device Enhancements" dated 15-Oct-2014. This guidance provides a series of examples as well as some explanation to help distinguish recalls, corrections, removals, and enhancments of medical devices. A number of the examples are for software changes. Some general principles relate to whether the change is being made because the device does not meet its specificaitons and claims and whether the device is violative (not in compliance with FDA law/regulation). 
10/19/2014  FDA Medical Device eCopy webpage updated   
The FDA maintains a webpage of resource at the link provided s for their eCopy program for medical device submissions. This addresses IDEs, premarket submissions and registration and listing. FDA also provides several tools for formatting and validating eCopy submissions. 
10/2/2014  Final FDA Premarket Cybersecurity Guidance   
FDA released its final guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices".

This guidance states that device manufacturers should develop cybersecurity controls as part of device development "to assure medical device cybersecurity and maintain medical device functionality and safety.". This should include establishing design inputs for cybersecurity, including addressing vulnerabilities as part of the software validation and risk analysis process under 820.30(g). It provides a list of elements for this in Section 4.

The guidance recommends that the core functions guiding cybersecurity activities include: Identify, Protect, Detect, Respond, and Recover.

Section 6 defines cybersecurity information to be included in premarket submissions:
1. Hazard Analysis related to cybersecurity
2. Trace matrix of cybersecurity controls to risks
3.A summary describing the plan for providing validated software updates and patches during use
4. A summary describing controls to ensure the device maintains its integrity in use
5. Labeling to describe controls related to the intended use environment (e.g. firewalls).

The guidance then lists a number of relevant standards including 80002-1 and 80002-2 for networked medical devices and CLSI, AUTO11-A for IVDs.

The full guidance is at the link provided. SoftwareCPR has been helping clients identify cybersecurity risks and controls and prepare cybersecurity information in premarket submissions for many years as part risk analysis information and can help you conform to the requirements of this new guidance.
 
10/2/2014  IMDrf Finalizes SaMD Document   
The IMDRF Management Committee approved the final N12 document, "Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations". IMDRF publishes their documents at the link provided. This document should be posted in the near future. FDA participates actively in the International Medical Device Regulators Forum (IMDRF) which is seeking to harmonize international regulation. 
9/26/2014  AAMI Agile Software Compliance Course Sept 29-30   
Brian Pate and Alan Kusinitz of SoftwareCPR.com will be instructing next week's (9/29-9/30/14) course with FDA instructors and another industry instructor.

Compliant Use of Agile Practices in the Development of Medical Device Software
Course: September 29-30, 2014 Arlington, VA

This course focuses on compliant use of Agile Methods in medical device software development using AAMI TIR45, IEC 62304, and FDA guidances as primary references.
 
9/17/2014  SoftwareCPR.com September 2014 Newsletter PDF   
This SoftwareCPR.com newsletter lists items added to the web site since January 21, 2014 and as of May 29, 2014. It serves as an easy reference to find new or updated items that may be of interest to you. Please search the library to see all items posted as the newsletter only lists new or updated ones. 
9/12/2014  FDA Connect Health Web Page   
The link provided is FDA's relatively new web page relatd to connected health including cybersecurity, Heatlh IT, Mobile Medical Apps, and wireless medical devices. The MMA page provides lists of examples of types of MMApps and how they are or are not regulatied. 
9/12/2014  SoftwareCPR Standards Update September 2014   
Medical device software
- The IMDRF working group on Software as a Medical Device (SaMD) has a working draft of their final classification document and has submitted their presentation slides for the IMDRF meeting in Washington in September. It is interesting that in the current draft a standardalone software could be embedded in a medical device provided it is running on a general purpose computer platform.

Medical Devices
- AAMI has circulated for vote the draft technical information report TIR 38 - Medical Device Safety Assurance Case Report Guidance. The TIR provides guidance for the development of safety cases for the design of a medical device. It includes guidance on how to integrate existing medical device risk management processes with safety cases.-
- A draft technical report IEC 60601-4-3 Guidance and interpretation - Considerations of unclear or unaddressed safety aspects in the third edition of IEC 60601-1 and proposals for new requirements has been circulated for vote. This technical report contains a series of recommendations in response to questions of interpretation of the third edition of IEC 60601-1. Almost all of these recommendations pertain to basic safety. One question asked about the reference to IEC 62304:2006 that is contained in clause 14 after the amendment to IEC 62304 is completed which will address legacy software. The response was that because 60601-1 has a gap regarding legacy software, risk management should be used which should be based on the state of the art, which means that the newer versions of 62304 should be taken into account.

Quality
- Draft for vote of a new version of ISO 9000 - Quality management systems -Fundamentals and vocabulary.
- Draft for vote of a new version of ISO 9001 - Quality management systems - Requirements.

Security
- Preliminary draft technical specification ISO 33050-4 - A process reference model for information security management. The PRM specified in this Technical Specification describes the processes including the information security management system (ISMS) processes implied by ISO/IEC 27001.
- Preliminary draft technical specification ISO 33070-4 - A process capability assessment model for Information Security Management.
- defines an exemplar PAM that meets the requirements of ISO/IEC 33004 and that supports the performance of an assessment by providing indicators for guidance on the interpretation of the process purposes and outcomes as defined in ISO/IEC TS 33050-4 and the process attributes as defined in ISO/IEC 33020;

Software Engineering
- Committee draft of ISO 25011 -Service Quality Model. T
- Final draft of ISO/IEC 26531 - Content management for product lifecycle, user, and service management documentation.
- Draft for vote of ISO 29119-5 - Software Testing - Part 5: Keyword-Driven Testing.
- Committee draft of ISO 25022 - Measurement of quality in use.
- Final draft of ISO 23026 - Engineering and management of websites for systems, software, and services information. T
- Final draft of ISO 16350 - Application management. This International Standard provides a common framework for establishing the processes, tasks and activities of service providers that enhance, maintain and/or renew applications or application objects after the initial development
- Draft technical report ISO 12182 - Framework for categorization of IT systems and software, and guide for applying it.
 
8/15/2014  FDA Medical Device Tools Pilot Program   
FDA initiated this pilot program as a way to quality fools for use by device manufacturers in their develpment processes. Qualification means that the FDA has evaluated the tool and concurs with available supporting evidence that the tool produces scientifically-plausible measurements and works as intended within the specified context of use. It focuses on cliinical outcome, biomarker, and non-clinical assessment models. FDA's webpage on this pilot program is at the link provided. Since FDA will keep proprietary information confidential this approach may be attractive to tools vendors that want an FDA qualification statement but want to protect their proprietary information and not provide it to device manufacturers. 
8/13/2014  FDA Guidance Home Use Design Considerations.   
FDA issued the final guidance "Design Considerations for Devices Intended for Home Use" dated August 5, 2014. The full guidance is at the link provided. Section VII Design Consideration addresses software by stating the following and then referencing IEC 62304 and FDA's general software guidances: "Software plays a critical role in the operation of some devices. For these devices, you should focus on developing device and software architecture and algorithms for performance, error detection, control, and recovery. When developing a home use device, you should broaden your existing concept development and preliminary testing processes to account for the needs of home users and requirements for straightforward device operation, obvious interface layouts, and appropriate alarm methods. If software upgrades are required, you should consider how this will be performed in the home environment with the lowest risk to the user and least burden on you." 
8/1/2014  FDADraft 510(k) exemptions intent   
FDA issued a Draft "Intent to Exempt Certain Class II and Class I Reserved Medical Devices from Premarket Notification Requirements" guidance on August 1, 2014. This document is at the link provided. For device code LLN if software is used to analyze clinical implication fo a measurement a 510(k) will be required. Many other device types and intended uses are identified in this gudiance as being 510(k) exempt. 
7/31/2014  FDA FY 2015 User Fee Rates   
FDA issued the user fee rates for FY 2015, which apply from October 1, 2014, through September 30, 2015. To avoid delay in the review of your application, you should pay the standard fee before or at the time you submit your application to FDA. Table 5 of the Federal register notice contains the fees and is at the link provided.

If your business has gross receipts or sales of no more than $100 million for the most recent tax year, you may qualify for reduced small business fees. If your business has gross sales or receipts of no more than $30 million, you may also qualify for a waiver of the fee for your first premarket application (PMA, PDP, or BLA) or premarket report. You
must include the gross receipts or sales of all of your affiliates along with your own gross receipts or sales when determining whether you meet the $100 million or $30 million hreshold.
 
7/28/2014  Final FDA 510(k) Substantial Equivalence Guidance   
FDA issued a final guidance entitled "The 510(k) Program: Evaluating Substantial Equivalence in Premarket Notifications [510(k)]" dated July 28.2014. This guidance mentions software 18 times (including in the example). Software is considered one of the technological characteristics that could affect equivalence and examples include changes in the way software is used to analyze a patient's anatomy or physiology.. The guidance also discusses the software information to be provided in the 510(k) related to demonstating substantial equivalence. The full guidance is at the link provided. 
7/27/2014  Cybersecurity for Medical Devices   
Brian Pate of SoftwareCPR writes:

In May 2014, FDA offered further guidance to manufacturers regarding premarket submission information identifying cyber-security risks and hazards associated with their medical devices, and the responsibility for engineering appropriate risk controls to address patient safety and assure proper device performance. FDA encouraged manufacturers to report any cyber-security incidents that may occur.

Many manufacturers may be struggling with first steps toward improved cyber-security or what process to use. Since many medical device manufacturers are already familiar with the ISO 14971 risk management process, SoftwareCPR recommends that cyber-security risks simply be added to the existing risk analysis. Using techniques such as threat modeling, cyber-intrusions can be treated like failure modes that can lead to high level hazards that have been identified for the clinical harms of the medical device. The ISO 14971 process will then guide the evaluation and design of appropriate risk controls for these types of cyber-intrusions.

Device manufacturers and healthcare institutuions should also become familiar with a number of Health IT security standards- including the IEC 80001 series - that comntain specific recommendations for addressing and assessing cybersecurity risks.
 
7/20/2014  Google Partners with Novartis   
The article at the link attached discusses Google's partnering with Novartis for its contact lense based glucose measurement technology. 
6/20/2014  FDA Blog with rationale for deregulation of MDDS   
Bakul Patel, a senior policy advisor in FDA'\'s Center for Devices and Radiological Health. posted a blog explaining the rationale for deregulating MDDS and some Imaging Storage and Communication systems. The blog is at the link provided. 
6/20/2014  FDA Draft Guidance to deregulate MDDS   
FDA issued a draft guidance: Medical Device Data Systems, Medical Image Storage Devices, and Medical Image Communications Devices. This draft exercises FDA enforcement discretion to essentially deregulate MDDS and Imaging Storage and Coummincation systems despite their classifcation rules. The guidance is at the link provided and proposes the new policy and provides specific wording changes to the Mobile Medical Apps Guidance to accomodate this change. The changes including deregulation of Mobile Medical Apps that serve as a secondary display of data rather then the primary device display such as an App for a doctor that receives data from a nursing station monitor. 
6/13/2014  ONC Health IT 10 year Interoperability Concept..   
ONC 10 year roadmap to achieving a "learning health system" based on an interoperable health IT ecosystem. 
6/13/2014  SoftwareCPR Standards Summary May 2014   
I number of draft standards were released for comment including including several related to specific security for medical devices and Health IT.:
- AAMI TIR38 - AAMI Medical device safety assurance case guidance
- IEC Health SW Standards Framework
- ISO 27799 Health informatics " Information management in health using ISO/IEC 27002"
- IEC TR 80001-2-8, Application of risk management for IT networks incorporating medical devices - Part 2-8: Application guidance - Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2
- NIST Special Publication 800-160 Systems Security Engineering. This guidance infuses systems security engineering techniques, methods, and practices into the systems and software engineering processes defined in ISO/IEC 15288. This NIST dcument is publicly available at the link provided.
 
6/2/2014  FDAVoice - Blog   
Just a reminder that FDA maintains a blog at the link provided. This generally contains short announcements with some explanation from FDA leads on policy and specific projects across all FDA divisions although one select specific divisions using the categories options. One recent posting was from Bakul Patel of the device center regarding the recent Health IT conference and FDASIA report. 
6/2/2014  OpenFDA   
The link provided is for OpenFDA and FDA initiative to make it easier to access FDA's large datasets initially focusing on drug adverse event reporting. 
5/30/2014  Medical Device Translation Service & Tools.   
In SoftwareCPR's experience translations and localization of user interfaces and labeling of medical devices for distribution in a variety of geographic regions can be challenging and can present safety issues if not properly handled. Alan Kusinitz of SoftwareCPR co-authored an article on localization risk management with one of the large companies that provides such services for the medical device industry and has its own patented risk mangement process.Some information about this company is provided below and their website is at the link provided.<p>

EnCompass content solutions are designed to address all of the content needs of today?s medical device manufacturer, from start-up to global enterprise. Beginning with patented risk management from our Crimson Life Sciences division, through advanced content management technology from sister divisions Vasont Systems, Astoria Software, and Translations.com, and including the global resources of TransPerfect Translations, EnCompass offers the first comprehensive portfolio of integrated content services and technologies for the medical device industry.
 
5/30/2014  Webcast of FDA/ONC Health IT Framework Workshop   
FDA and the Office of the National Coordinator held a public workshop entiitled "Proposed Risk-Based Regulatory Framework and Strategy for Health Information Technology" May 13-15, 2014. A three part webcast of this workshop can be found at the link provided. 
5/22/2014  FDA Class I Device Inspections   
It appears that the Center directed ORA to inspect Class I firms and provided each regional/district offices with a list of 50 firms to choose from. These inspectionsappear to be in part a validation exercise of the risk based approach to only inspecting higher risk firms. We are assuming it is for the remainder of this FDA fiscal year.It may increase the likelihood that lower risk device manufacturers such as MDDS are inspected through the remainder of this year. 
5/19/2014  FDA UDI Final Rule &Draft Guidance Overview Slides   
FDA published slides presented by Jay Crowley of CDRH providing an overview of the Final Universal Device Identification Rule and the draft guidance. These slides highlight some of the important aspects of the final rule including changes from the draft rule. This includes that standalone software need only provide a means to display a human readable UDI. The full presentation is at the link provided. 
5/16/2014  FDA UDI Final Rule   
FDA published its Final Universal Device Identification Rule This includes that standalone software need only provide a means to display a human readable UDI. The full link to FDA's web page on the UDI rule is at the link provided. 
5/14/2014  OBOLETE -FDA Draft Use of Standards Guidance   
This draft is OBSOLETE and just for historical reference a fnal was issued September 14, 2018 and can be found in news or our document library.
FDA published a new draft guidance: Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical Devices. This draft seems to clarify and formalize existing FDA practice including the requriement to submit FDA's standards form for each standard used as well as discusses the use of obsolete standards. Originally standards were a focus for Abbreviated 510(k) but FDA has been requiring information on all standards mentioned in premarket submissions for several years and this guidance formalizes that practice. Comments on the draft are due by August 13, 2014. The full draft is at the link provided.
 
5/6/2014  ECRI Top Ten Safety Safety Concerns   
ECRI Institute published its Top 10 Patient Safety Concerns for Healthcare Organizations to give healthcare organizations a gauge to check their track record in patient safety. The list originally appeared in its Healthcare Risk Control (HRC) System newsletter, the Risk Management Reporter, and is reprinted in this report. The list is partly based on more than 300,000 patient safety events, custom research requests, and root- cause analyses submitted to our federally designated patient safety organization, ECRI Institute PSO, for evaluation and analysis.

The number 1 issue on the list is data integrity failures with Health IT systems.

ECRI intends to publish its top 10 list of patient safety concerns on an annual basis and recommends using it along with ECRI Institute's other two top 10 lists: list of health technology hazards and ar list of technologies to watch to stay informed in all areas of patient safety.
 
5/5/2014  BI&T Editorial Board Appointment   
Alan Kusinitz Managing Partner of SoftwareCPR accepted appointment to the Biomedical Instrumnetation and Technology journal editorial board. Alan authored a number of articles for this journal and performed peer revieiws for the journal over the years. 
5/5/2014  BSI WP Proposed EU Regulations   
This white paper provides an update of the proposed revisions to EU medical device regulation as of April 2014. 
5/5/2014  Draft Standards Update April 2014   
The following draft standards are being circulated for comment or ballot. More information is availale to Standards Navigator Subscribers in the the Standards Navigator topic:
-IEC 62304 Amendment CDV
-$ISO 16142-1 DIS
-ISO 90003 FDIS
-ISO 15289 FDIS
-ISO 24748-4 DIS
-ISO 24748-6 NP
 
5/5/2014  EU Green Paper on mobile health.   
This white paper provides an update of the proposed revisions to EU medical device regulation as of April 2014. 
5/2/2014  FDA Device eSubmission Pilot   
The FDA is accepting requests to participate in its Medical Device eSubmission pilot program. This is only open for devices being submitted to ODE's Division of
Cardiovascular Devices Cardiac Diagnostic Devices Branch or Peripheral
Interventional Devices Branch. This will be interactive to evaluate the process/tools and the Refuse to Accept screening will be waived for participants. Deadline for requests to participate is September 30, 2014.
 
5/1/2014  TFDA training   
Lucille Ferus a Partner at SoftwareCPR provided training to the Tawian FDA on US and international medical device software regulation in April. We continue to see increased focus on software regulation in countries outside the US.. 
4/20/2014  Anesthesia System Recall - SW & USB port charging   
"Spacelabs Healthcare is recalling the ARKON Anesthesia System with Version 2.0 Software due to a software defect. This software issue may cause the system to stop working and require manual ventilation of patients. In addition, if a cell phone or other USB device is plugged into one of the four USB ports for charging, this may cause the system to stop working. ...The error is triggered by the combination of a spirometry loop save and a change in waveform configuration.This defect may cause serious adverse health consequences, including hypoxemia and death."

Stan Hamilton of SoftewareCPR comments:"For devices that must fail operational or risk a hazardous situation, such as this one, one should always be on the lookout for single faults that could result in an interruption of essential functionality. The safe state for these devices is generally to continue critical operations, and possibly generate an alarm or warning to resolve the fault. Isolating critical processing modules from peripheral functionality can be an important aspect to consider in achieving the desired safety model."

Brian Pate of SoftwareCPR comments: "Have you considered various types of testing? This failure mode is a reminder that combinatorial testing is critically important with multi-featured software devices. Ensure that your module, integration, and system level testing have adequate diversity of test types particularly around risk controls and primary operating functions."

SoftwareCPR can provide assessments of your risk mitigation and test strategy and provide valuable feedback to gain greater test effectiveness in the most efficient manner. Contact us today to discuss how we could help.

The full FDA notice is at the link provided.
 
4/19/2014  Stan Hamilton Returns to Medical Devices   
Crisis Prevention and Recovery LLC (DBA SoftwareCPR®) is pleased to announce that Stan Hamilton has returned as a partner after several years of applying his risk management expertise in Aerospace. Stan has over 28 years experience in systems and software engineering for medical devices and ultra-high reliability systems. Stan was a former partner with SoftwareCPR and served on the AAMI TIR group that developed the well received AAMI TIR32 Application of risk management to medical device software (which served as the basis for for IEC 80002-1). Stan is an expert with systems and software risk management and the development and evaluation of effective risk controls, further bolstering SoftwareCPR's unique expertise in this area." 
4/19/2014  Standalone Medical Devices SCPR Services   
SaMD. Standalone Medical Devices. Do you have SaMD or software systems that might be classified as medical devices, even if FDA has chosen not to regulate them? Do you know the features that might trigger medical device classification? Whether regulated or not, a well developed and sufficiently documented risk analysis and management plan is essential and the first step toward safe products. Contact SoftwareCPR to help you with strategic feature planning and software architecture decisions for your SaMD to confidently navigate the SaMD highway. 
4/9/2014  FDA submission communications guidance   
FDA issued a final guidance on April 4, 2014 titled "Types of Communication During the Review of Medical Device Submissions". This guidance provides a clear descrition of the stages of a premarket review, timing, and information communicated including the forms of communications. In states that the initial acceptance for review stage timing does not begin until any user fee and an ecopy is received. Whether accepted for review or rejected FDA will provide the name of the lead revieweror regulatory project manager. The next stage is substantive interaction and FDA will notify at the end of its review whether interactionw ill be interactive or by placing the submission on hold and providing a list of deficiencies. Interactive review does not affect the review clock and does not restrict issues to minor ones as in the ealrier draft. Email and fax are the preferred interactive review communication methods with limited use of phone calls for brief clarification requests. 
4/7/2014  ONC FDASIA Draft Report Presentation   
The Director, Office of Policy and Planning, of the Office of the National Coordinator for Health Information Technology provided an overview presentation on ONC's perspective on the FDASIA draft report. The slides are at the link provided.

As with all presentations SoftwareCPR reminds readers to refer to the actual source documentation, in this case the FDASIA report, and not rely exclusively on the presentation material. Keep in mind this is a presentation from ONC not FDA.
 
4/3/2014  FDASIA Draft Health IT Regulatory Strategy   
The FDA released its anticpated draft report on regulation of Health IT. This report includes a risk-based regulatory framework for health information technology (health IT) that is a step towards clarifying what software will be actively regulated by FDA. The report was developed by the U.S. Food and Drug Administration in coordination with the Health and Human Services Office of the National Coordinator for Health IT (ONC) and the Federal Communications Commission (FCC). The three categories of Health IT identified are: administrative health functions, health management functions, and medical device functions with the latter remaining actively regulated in a traditional manner by FDA. The FDA is seeking feedback on this approach and wil be schedulign a public meeting in May for this purpose. The full report is at the link provided. 
3/31/2014  GM Safety Recall   
The Wall Street Journal reports that "the top federal auto-safety regulator will defend his agency before Congress on Tuesday, telling lawmakers that General Motors had "critical information" that would have helped it identify a defect earlier in the Chevrolet Cobalt and other vehicles and might have changed the agency?s course in investigating the problems.
In prepared testimony, David Friedman, the acting administrator of the National Highway Traffic Safety Administration, said the agency is "not aware of any information" that it "failed to properly carry out its safety mission" based on the data available to it and its own processes.
Meanwhile, GM CEO Mary Barra intends to tell legislators that she has accelerated efforts to fix faulty ignition switches but still doesn?t have a reason why it took nearly a decade to initiate a recall."

Brian Pate of SoftwareCPR notes that while not a medical device, it is a reminder of the importance of a complete and thorough complaint handling system for addressing and bringing to timely closure potential quality problems. One must consider how the analysis and investigation may appear when reviewed and scrutinized years later.
 
3/26/2014  AAMI TIR50 Post-market Use Error Surveillance   
AAMI has released AAMI TIR50:2014, "Post-market surveillance of use error management". This document addresses the issue of use error detection for medical devices from the clinical, manufacturer, patient, user and regulatory perspective. The goal is to provide guidance on how these individuals can best collect, assess, and leverage post-market use error data to mitigate product risk, and to improve product safety and usability. 
3/25/2014  FDA Premarket submission Cybersecurity Information   
In a new draft guidance (for electrosurgical devices but in our opinion representative of information needed for other devices) FDA stated that cybersecuirty information including but not limited to the following should be provided:

Confidentiality assures that no unauthorized users have access to the information.

Integrity is the assurance that the information is correct - that is, it has not been improperly modified.

Availability suggests that the information will be available when needed.

Accountability is the application of identification and authentication to assure that the prescribed access process is being done by an authorized user.
 
3/25/2014  FDA-Premarket Submission Cybersecurity Info Draft   
In a new draft guidance (for electrosurgical devices but in our opinion representative of information needed for other devices) FDA stated that cybersecuirty information including but not limited to the following should be provided:<p>

Confidentiality assures that no unauthorized users have access to the information. <p>

Integrity is the assurance that the information is correct - that is, it has not been improperly modified.<p>

Availability suggests that the information will be available when needed. <p>

Accountability is the application of identification and authentication to assure that the prescribed access process is being done by an authorized user.
 
3/24/2014  FDA Draft Guidance for Electro-Surgical Devices   
The link provided is to an FDA Draft Guidance dated 3/24/14 entitled "Premarket Notification [510(k)] Submissions for Electrosurgical Devices for General Surgery". The comment period ends 90 days later.It provides an example predicate comparison table and many information for key elements of a premarket submission. Section V is on Software and mostly just refers to the FDA's general software submission guidance and Off-the-shelf software guidance. It does state that generally the Level of Concern for the software is Moderate. It also states that information should be provided on cybersecurity including Confidentiality Integrity, Availability, and Accountability. 
3/22/2014  Senate Request to FDA for MMApps Clarification   
The link provided is to an MDDI article regarding a March 18. 2014 letter to FDA from 6 Senators requesting clarifications on Medical Mobile App regulation and FDA procedures. This appears to be one of several congressional attempts to clarify what FDA will and will not regulate in the rapidly evolving Health IT space. 
3/10/2014  GessNet Risk Management and Safety Case Tool   
In SoftwareCPR's opinion a somewhat unique, very well conceived and well designed tool for the specialized craft of risk analysis as well as safety assurance cases. The tool is very configurable, allowing customized structures for your own methods. The ability to view data from an FMEA, FTA, or table view saves valuable time during creation and reviews. This tool even generates safety cases from your data. Definitely the new state of the art tool for these tasks. It allows tabluar data entry and views rather than strictly graphical formats which can be cumbersome on their own. It provides some powerful ways to utilize existing risk analysis information and more easily generating safety cases. It was developed to focus on medical device risk management per IEC 14971 and safety case generation where requested by the U.S. FDA. For more information about FDA and international standards compliant risk management and safety case development or help tailoring your risk management process using the GessNet Tool leave us a message and one of our experts will contact you. The website for this tool is at the link provided. 
3/6/2014  ISO 13485 Medical Devices QMS Draft for Vote.   
There is a new draft for vote of ISO 13485 Medical Devices- Quality Management systems - Requirements for regulatory purposes. This version updates the references to ISO 9001 to the 2008 version. Some new requirements include:
- A requirement for a risk management process has been added in the product realization phase and ISO 14971 and IEC 62304 have been referenced for guidance.
-The organization also now has to define a method for protecting confidential health information that may be provided as part of the requirements related to the product or as customer feedback or post-market surveillance.
- If required by regulation, the organization shall establish and maintain a system to assign a Unique Device Identifier (UDI) to the device.
- A new requirement for documenting procedures for the validation of the application of computer software used in the quality management system, including production and service provision, has been added.
 
3/6/2014  NIST Framework Infrastructure Cybersecurity   
The final version of the NIST Framework for critical infrastructure cybersecurity has been published. Healthcare and public health have been designated as critical infrastructure. In its introduction, the framework states "Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organization?s size, threat exposure, or cybersecurity sophistication today." The framework is voluntary and not industry specific. It takes a risk-based approach to managing cybersecurity risk in an enterprise. While the framework is voluntary, it seems likely that regulation, litigation and insurance will consider it the minimum expectation for managing cybersecurity risks in an enterprise.

The Framework and related documentation can be found at the link provided.
 
3/6/2014  ONC Proposed 2015 HealthIT EHR rule   
The Office of National Coordinator for Health Information Technology published a proposed rule for Voluntary 2015 Edition Electronic Health Record Certification Criteria; Interoperability Updates and Regulatory Improvements. The proposed rule eliminates the "complete EHR" designation, separates the content and transport certification criteria and announces a more frequent certification rule making process. The proposed rule also fixes a number of issues in the 2014 edition with changes to Computerized Provider Order Entry, Clinical decision support, uses of UDI data and many others.

The Microsoft Word version of the proposed rule and the document that can be used for providing comments can be found on ONC's Web site at the link provided.
 
3/1/2014  WiFi Network Attacking Virus   
The article at the link provided describes a virus constucted specifically to breach networks through WiFi vulnerabilities. 
2/25/2014  IT Network Assessment article using IEC 80001-1   
AAMI recently published "RESEARCH Assessing a Hospital's Medical IT Network Risk Management Practice with 80001-1" in its Biomedical Instrumentation & Technology 9BI&T). The ful article is at the link provided. The article reports on an actual hospital network/health IT assessment using 80001-1 as one of th tools for the assessment. 
2/25/2014  Safety Assurance Case Article   
Sherman Eagles of SoftwareCPR co-authored AAMI's recently published article "REDUCING RISKS AND RECALLS Safety Assurance Cases For Medical Devices" in the January/February 2014 issue of BI&T (Biomedical Instrumentation & Technology, a imonthly, peer-reviewed journal from the Association for the Advancement of Medical nstrumentation, www.aami.org. The full article is posted with permission at the link provided. Any other distribution of AAMI-copyrighted material requires written permission from AAMI. 
2/24/2014  Apple defect IOS defect - static analysis   
An interesting analysis in a Guardian article below: "Apple should have found it, but didn't either of its compilers (GCC and Clang) should have thrown an error, but testing by others has shown that it doesn't unless you have a particular warning flag (for "unreachable code") set. A compiler which pointed to "unreachable cod" (that is, a segment of code which will never be activated because it lies beneath a code diversion that always applies) would have caught it." The full article is at the link provided.

http://www.theguardian.com/technology/2014/feb/25/apples-ssl-iphone-vulnerability-how-did-it-happen-and-what-next
 
2/15/2014  Upgrading your device to use Windows 8   
According to an article published on the web (Brad Sams at the link provided ), Microsoft has reached the 200 million mark with distribution of Windows 8 licenses. While this is a little behind the pace of distribution for Windows 7 when it was released, it still represents a very large number of sites and is indicative of adoption. Medical device manufacturers of standalone software systems for Windows platform must take notice and prepare for customers moving to this new operating system. As with any configuration change to a medical device, start with risk management and let that that guide the activities and tasks required to qualify a new operating system and/or platform and validate your changed device. If your product required a premarket submission to FDA then you should also consider what type of new submission is needed using a variety of FDA's guidance documents for submission in general and software submission in particular such as FDA's Off-The-Shelf (OTS) software guidance.

SoftwareCPR can help you with this process with services as simple as reviewing your plan or as extensive as writing qualification procedures, tests, and new premarket submission for the upgrade to Windows 8. Our experts can provide a helping hand to your staff during crunch times or if your team lacks the experience with regulatory requirements.
 
2/14/2014  NASA Software Verification Article and Key points   
The latest ACM Journal has an interesting article on software verification at NASA JPL for the Mars Curiosity Rover at the link provided. A few highlights from one of our validation specialists is below.

A few things that I found interesting:

- Their standard for flight software is ISO-C99.

- The coding standard at JPL (http://lars-lab.jpl.nasa.gov/JPL_Coding_Standard_C.pdf) is risk-based and has 6 "levels of compliance". LOC-5 and LOC-6 are for safety-critical and human-rated software and include all MISRA rules.

- They state that there is "compelling evidence that higher assertion densities correlate with lower residual defect densities", and therefore they specify a minimum assertion density of 2%.

- Assertions are left active in production code and if one triggers the system goes to a safe state.***

- They use four static analyzers: Coverity, Codesonar, Semmle, and Uno.

- They have an in-house tool called Scrub that combines the output of all four static analyzers plus human review comments into one unified system.

- Multi-threading issues including race conditions are a big concern. To mitigate that they use a free logic model checker called Spin.

Several years ago while I watched the mission control video of the Curiosity lander, I overheard one of the technicians saying not to worry about an error that they received from the craft during the landing since the software was in "battle-short mode". So apparently there are times when the "safe-state" is overridden.

Ron Baerg
Software Engineering Specialist, ValidationCPR
See our services sheet: www.ValidationCPR.com for ways we can assist in planning, executing, or reviewing your medical device V&V activities or leave a message on our website and we'll contact you.
 
2/9/2014  Health IT Safety Guides   
A new set of guides and interactive tools to help health care providers more safely use electronic health information technology products, such as electronic health records (EHRs), are now available at the link provided. The Office of the National Coordinator for Health Information Technology (ONC) at HHS released the Safety Assurance Factors for EHR Resilience (SAFER) Guides. These guides are a suite of tools that include checklists and recommended practices designed to help health care providers and the organizations that support them assess and optimize the safety and safe use of EHRs. Each SAFER Guide addresses a critical area associated with the safe use of EHRs through a series of self-assessment checklists, practice worksheets, and recommended practices. Areas addressed include:Each SAFER Guide has extensive references and is available as a downloadable PDF and as an interactive web-based tool. 
2/9/2014  NIST Cybersecurity Framework   
NIST received comments on the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity and is updating the framework. They have announced that the final version (Version 1.0) will be released on February 13
When it is released, the Final Framework will be posted at the link provided. The draft framework is available at http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf
 
2/6/2014  FDA Compliance and Inspection Reorganization   
AAMI posted an article about FDA's plans for a major overhaul of their complance organization and inspectional approach and staffing. Part of the overhaul is a greater focus on specialized expertise. The article is on the aami.org news page at the link provided. The full federal register notice is at the link provided. 
2/3/2014  Essential Requirements Confusion - 60601-1 3rd Ed.   
SoftwareCPR comments on common confusion:
Struggling with Essential Requirements? Many manufacturers faced with compliance to the 3rd edition of 60601-1 do not understand which of their product requirements meet the essential requirements definition. Confusion arises over the actual risk control measures designed into the system and the requirements for the "performance of a clinical function where loss or degradation beyond the limits specified by the manufacturer results in an unacceptable risk". Specifying these limits is the key to understanding essential requirements.

For example, if essential performance states that "XYZ pressure must be maintained within a safe range throughout the treatment":
- Do requirements show clearly what the safe range is, and how monitoring and control are performed?
- Does the hazard analysis correctly align with the failure of essential performance?
- Are the related parameters (in this case, safe range limit values) consistent through safety analysis, requirements, and test?
- If timing is critical, is it addressed wherever appropriate, including essential performance (possibly pressure spikes are acceptable, if of short duration)?

Oversights and inconsistencies are commonly observed when cross-checking these device design elements. Seems obvious and straightforward, but when the issues are scattered throughout a complex risk management file, they are more difficult to see and correct. Maintaining a consistent and organized story as the design decomposes into greater detail will help to avoid confusion and effectively communicate the device performance to different audiences.

If you need help with IEC 60601-1 3rd Edition or related standards such as IEC 62304 or 62366 call 781-721-2921 US or leave a message on our site and one of our experts will contact you.
 
2/3/2014  Fuzz testing article   
The link provided is to an article on Fuzz testing. This type of testing involves injecting bad data to challenge your applications and safeguards. This type of testing can be important to verify risk control measures and data integrity checks are verified. The name Fuzz testing is a fairly recent moniker for techniques that have been required in safety critical industries for a long time. One might also consider bug seeding (defective code) to challenge a medical device's overall safety architecture. 
1/21/2014  Apple meets with FDA   
wallstreetcheatsheet posted an article about a recent meeting of Apple with FDA. See the attached link. 
1/16/2014  AAMI article on FDA UDI Accredited Organizations   
The link provided announces that FDA has accredited the first two organizations (GS1 US and Health Industry Business Communication Council (HIBCC)) to allocate UDI identifying codes. This is required under the new FDA UDI rule which requires all medical devices to have a unique identifier. 
1/16/2014  AAMI Quality System Benchmarking Tool   
The Association for Advancement of Medical Instrumentation just released a tool to help medical device companies determine how critical elements of their quality management systems compare with those of their peers. It features more than 100 measurements covering two specific areas: Risk Management and Corrective & Preventive Action (CAPA). Benchmarking data can also be submitted at the corporate, division, or site level. Click the link provided for more information. 
1/16/2014  FDA Draft Computational Models Submission Guidance   
FDA issued a new draft guidance "Reporting of Computational Modeling Studies in Medical Device Submissions". This guidance for use of computational modeling and simulation (CM&S) studies in premarket submissions provides recommendations to industry on the formatting, organization, and content of reports of CM&S studies that are used as valid scientific evidence to support medical device submissions. Moreover, this guidance is also for FDA Staff, to help improve the consistency and predictability of the review of computational modeling and simulation studies and to better facilitate full interpretation and complete review of those studies.The full draft is at the link provided and the comment period ends April 18. 2014. 
1/15/2014  FDA Software Recall Article   
Lisa Simone, a biomedical software engineer at FDA, published an article in the Biomedical Instrumentation & Technology journal Nov-Dece 2013 with information on an analysis of historical software related recalls using internal information at FDA as well as other sources. The article breaks down the recalls by year and product type. She investigated the tyears 2005-2011. and found 84-2005, 119 206, 119 2007, 192 2008, 146, 2009, 147 2010, 315 2011. In 2011 there was an increase in all recalls as well as software related ones. From 2006-2-11 the precentage of software related recalls (which includes where software was modified to fix other types of problems) ranged was in the 18-25% range. Imaging and radiology software accounted for the largest number of software recalls.

SoftwareCPR scans public information on medical device software recallls and posts them including yearly totals. Our totals are different then this article(but both show an increase in 2011) but as stated in the article even internally FDA has no good way to identify software recalls so numbers are imprecise.
 
1/14/2014  Prescription Mobile App for Diabetes   
The link provided is to a company that is now actively marketing a medical mobile app called BlueStar only available by prescription to aide management of diabetes.This was cleared by FDA previously and the prescription nature of the app qualifies it for insurance reimbursement. 
1/10/2014  A. Kusinitz selected for AAMI nominating committee   
The Association for the Advancement of Medical Instrumentation selected Alan Kusinitz (Managing Partner of SoftwareCPR) to join its board member nominating committee. Alan has contributed to standards development and training programs for AAMI over many years in the interest of protecting public health. 
1/9/2014  NIST Preliminary Cybersecurity Framework   
US National Institute of Science and Technology (NIST) has made the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity available for review. Critical infrastructure is systems vital to the United States and includes the healthcare and public health sector. While this framework is identified as voluntary, it?s high level of visibility will likely result in it becoming the expected level of security in regulatory and legal proceedings.
The draft framework is available at he link provided.
 
1/6/2014  FDA 510(k) Submission Process Timeline/Overview   
The FDA page at the link provided provides an overview of the 510(k) review process and timeline. It describes the acknowlegment procedure, Acceptance Review, Substantive Review, Interactive Review, AI Request and Decision Letter. It also provides a timeline and indicates all timeframes are in calendar days.
Full Manual Link: http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/HowtoMarketYourDevice/PremarketSubmissions/PremarketNotification510k/ucm070201.htm
 
1/4/2014  IEC Evaluation of Risk Management   
IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE) has published Document OD-2044 Ed. 2.2, Evaluation of Risks Management in medical electrical equipment according to the IEC 60601-1 and IEC/ISO 80601-1 Series of Standards. The scope of this procedure is intended to provide a uniform approach to the Certification Body Testing Laboratory and Manufacturer on how to assess and document compliance with the relevant clauses of IEC 60601 standard series related to the standard ISO 14971. The document has been prepared by the IECEE Risk Management Task Force chaired by Alf Dolan, the convener of the ISO 14971 working group. The TF's goal is not to demand more or less than the standard requires but to help ensure that all those in the CB scheme take a common approach to assessing compliance to the standard?s risk management aspects.The document is available at the link provided. 
1/3/2014  Software Recall Summary 2004-2013   
Based on our searches and posting of software related recalls there appears to be a significant increase of recalls reported to FDA in 2008 and then some reduction but still higher than prior years in 2009.Then a bit lower in 2010 and significantly higher in 2011 2012,and 2013. It is unclear if this indicates a decrease in safety, an increase in the number of software based devices or the functionality that software controls, or simply an increase in reporting. Yearly total software recalls to the best of our ability to identifye were :

2013 - 197
2012 - 173
2011 – 177
2010 – 76
2009 – 98
2008 - 132
2007 - 82
2006 - 81
2005 - 66
2004 - 84
 
12/28/2013  Michael Hoffman joins SoftwareCPR   
Michael Hoffman of Kirkland, WA is now a partner at Crisis Prevention and Recovery LLC (DBA SoftwareCPR ®) a full service medical device compliance and premarket submissions consultancy. Michael has over thirty two years of senior management experience in regulatory affairs, quality systems, good laboratory practices, and clinical affairs. He is a board member and Program Committee Chair of the Organization of Regulatory and Clinical Associates, faculty member for the Association for the Advancement of Medical Instrumentation (AAMI) quality management system, purchasing controls, and design control courses, and faculty and lecturer for three University of Washington programs: the Certificate in Biomedical Regulatory Affairs, the Professional Masters in Biomedical Regulatory Affairs, and Masters in Medical Engineering.

Michael expands the company's RegulatoryCPR services capabilities and establishes geographic presence in the US Northwest. His full CV is on the credentials page of www.softwarecpr.com. For more information please leave a message on the website or call 781-721-2921.
 
12/20/2013  AAMI's most popular 2013 TIR - Agile   
AAMI announced that TIR45-2012 "Guidance on the use of agile practices in the development of medical device software" was their most popular TIR for 2013. This document was developed with the participation of FDA and addresses how Agile Methods can be use in compliance with FDA medical device regulations for software.

Brian Pate and Alan Kusinitz of SoftwareCPR are instructors for the new AAMI course on Agile methods compliance, Brian was on the working committee that developed TIR45 and Alan was a reviewer. We and our other partners can provide onsite training or help quality system staff and software development groups ensure efficient yet compliant implementation of Agile Methods.
 
12/19/2013  FDA electronic submission security breach   
The link provided is to an article on reuters.com regarding a security breach by hackers into FDA's system for submitting information to its Center for Biologics. Manufactureres are pushing for an external independent security audit of FDA's systems fearing their propreitary information may be vulnerable once provided to FDA. FDA claims it was only account information that was compromised not premarket submissions according to Reuters. 
11/27/2013  Congressional hearing on SW as a Device   
The link provided is to an article on mobihealthnews.com summarizing the congressional hearing last week on whether software should be regulated by FDA as a medical device. This is related to the Blackburn Bill which would exempt many standalone software medical applications, if passed into law, from FDA regulation. 
11/14/2013  FDA Draft Guidance Development Tools Qualification   
FDA's Device Center issued a draft guidance "Medical Device Development Tool". The direct link is provided. NOTE that this guidance is not for development tools in general. It defines a qualification and FDA submission and determination process for specific types of tools related to clinical and nonclinical evaluation. It provides a mechansim for FDA to essential approve a tool for specific intended use in device evaluation with the intent of streamlining the review process for devices whose performance device was based on tools that were pre-qualified with FDA. 
11/12/2013  IEC 80002-1 and 80001-1 reconfirmed to 2016   
IEC 80002-1 "Guidance on the application of ISO 14971 to medical device software" has been reconfirmed with a new stability date of 2016. This means that the document will not change before 2016. The next review to determine if the technical report should be revised will occur in 2015.

IEC 80001-1 "Application of risk management for IT-networks incorporating medical devices" has been reconfirmed for one year with a new stability date of 2016. Revision of this standard will begin in 2014.
 
11/5/2013  FDA CDRH Cybersecurity web page   
FDA's Device Center added a dedicated webpage on Cybersecurity for medical devices in its connected health section. The direct link is provided. 
10/26/2013  FDA DSMICA name change   
The FDA's Division of Small Manufacturers, Internaltional, and Consumer Assistance will be changed to DICE Division of International and Consumer Education to emphasize its educational role as part of expanded educational efforts. This change was completed April 2014. The new email address is DICE@fda.hhs.gov. More information is at the link provided. 
10/26/2013  US Congress Bill for Medical software Oversight   
Oct 22, 2013 press release from the office of Conressman Marsha Blackburn:
"Congressman Marsha Blackburn (R-TN07) joined Representatives Gene Green (D-TX29), Dr. Phil Gingrey (R-GA11), Diana DeGette (D-CO01), Greg Walden (R-OR02), and G. K. Butterfield (D-NC01) today in introducing the Sensible Oversight for Technology which Advances Regulatory Efficiency (SOFTWARE) Act to provide regulatory clarity regarding mobile medical applications, clinical decision support, electronic health records, and other health care related software. By building on the guidance recently released by the FDA and codifying their risk based regulatory approach this important legislation provides the regulatory certainty that technology companies need in order to continue to drive innovation and ensure patient safety. "- The draft bill is at the link provided and indicates that "Clinical software and health software shall not be subject to regulation under this Act." meaning by FDA.
 
10/25/2013  FDA Single International Audit Program Pilot   
The International Medical Device Regulators Forum (IMDRF)recognizes that a global approach to auditing and monitoring the manufacturing of medical devices could improve their safety and oversight on an international scale. At its inaugural meeting in Singapore in 2012, the IMDRF identified a work group to develop specific documents for advancing a Medical Device Single Audit Program (MDSAP).
Beginning in January 2014, FDA will be participating in a MDSAP Pilot alongside other international partners. FDA will accept the MDSAP audit reports as a substitute for routine Agency inspections. The MDSAP Pilot is intended to allow MDSAP recognized Auditing Organizations to conduct a single audit of a medical device manufacturer that will satisfy the relevant requirements of the medical device regulatory authorities participating in the pilot program. International partners that are participating in the MDSAP Pilot include: Therapeutic Goods Administration of Australia, Brazil?s Agęncia Nacional de Vigilância Sanitária, Health Canada. Observers - Japan?s Ministry of Health, Labour and Welfare, and the Japanese Pharmaceuticals and Medical Devices Agency. More information is at FDA webpage at the link provided.
 
10/24/2013  ISO 62366 and IEC 60601-1-6 Amendments   
The amendments to ISO 62366 and IEC 60601-1-6 were approved unanimously. The amendment to 62366 introduces requirements for legacy products that were created prior to the adoption of ISO 62366 and the amendment to 60601-1-6 clarifies the elements of the usability engineering process that are required for compliance with the IEC 60601 series 
10/24/2013  SoftwareCPR.com October 2013 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since 7/22/2013 and as of 10/24/2013. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
10/22/2013  FDA Unique Device Identifier SW Requirements   
FDA issued its final rule September 24, 2013 along with a Draft GUDID Guidance. The link attached is FDA's webpage related to this rule. It includes a table of compliance dates ranging from 1 to 7 years depending on device class and type.

A unique device identifier (UDI) is a combination of a Device Identifier (DI) and a production identifier (PI). The device identifier is assigned by either the FDA or an FDA accredited issuing agency. For stand alone software, the PI is your version number. The rule designates that when dates are used, they should be of the format YYYY-MM-DD when used.

The following steps should be taken for labeling your devices in order to comply with the Medical Device Unique Identifier Rule:

1. Obtain a DI from an FDA accredited Issuing Agency or FDA (Note: We are not aware of any FDA accredited Issuing Agencies at this time.)

2. Need a GUDID (Global Unique Device Identifier Database) Account. This is an FDA account. (Note: This account is not yet available that I am aware of.)

3. For Stand alone software that is not packaged a plain-text statement of the UDI is to be displayed whenever the software is started, or a plain-text statement to be displayed through a menu such as with an "about" command.

4. For Stand Alone Software that is packaged, the package label and the label of the CD or other medium should additionally include an AIDC UDI number. An AIDC is as automatic identification and data capture technology that conveys the UDI in a form that can be entered into an electronic patient record or other computer system via an automated process (e.g., barcode).

This regulation additionally requires the UDI to be reported as part of a recall/MDR event and may require you to update those procedures.

This represents highlights of our understanding of the rule at this point in time.
 
10/22/2013  Ranorex Automated Test Tool   
One of the automated test tools SoftwareCPR's hands-on V&V testing support group uses is Ranorex www.ranorex.com. We have had very good experience with this tools for user interface testing for certain types of medical device software. If you have questions about the pros and cons of this tool, or if you want our test group to help get you started with it or outsource creation of test assets for use with this tool let us know by leaving a message on the website or call Brian Pate of SoftwareCPR at 813-766-0563 or email him directly at brian@softwarecpr.com. 
10/21/2013  First AAMI Agile Software Compliance Course   
Last week was the first offering of AAMI's course on Agile Software Methods Compliance. Approximately 30 students attended from a wide range of medical device manufacturers including software engineers, quality, compliance, and regulatory managers. As a first offering this level of enrollment shows the high interest in more efficient and effective approaches to medical device software.

Brian Pate and Alan Kusinitz of SoftwareCPR as well as Kelly Weyrauch of Medtronic served as instructors. AAMI is currently scheduling the second offering in the first half of 2014. For more information leave a message on our site or email training@softwarecpr.com. SoftwareCPR can also provide on-site consulting and training to assist you in efficient and compliant Agile implementations tailored to your quality system, culture, device type, and preferences.
 
9/27/2013  EU Commission New Rules For Auditing by NBs   
The EU Commision published "COMMISSION RECOMMENDATION
of 24 September 2013 on the audits and assessments performed by notified bodies

This clarifies and strengthens the criteria for certifying (and auditing) notified bodies and the criteria that the notified bodies have to use in assessing companies and products.

The main changes are that the member states are required to do a joint assessment of a potential notified body with experts from the Commission and to carry out surveillance and monitoring of notified bodies. It also requires notified bodies to do unannounced factory audits which they were not allowed to do before (but the FDA
does).

It also states "As publication of residual risks in the information given to the user does not reduce the risk, but publication of residual risks and warnings used as risk
control measure may be beneficial, have residual risks been correctly placed on IFUs or provided in training, and have manufacturers evaluated whether those warnings are effective..." This clarifies that although labeling cannot reduce risk labeling can still be used as risk control measures.
 
9/25/2013  FDASIA workgroup recommendations   
The FDA Safety and Innovation Act (FDASIA) workgroup completed its work and made its draft recommendations in September. The recommendations include: HIT should not be regulated except in cases where there is risk to the patient, a patient-safety risk framework should be used to allow application of regulatory oversight by risk, vendors should be required to list products which represent at least some risk, better post-market surveillance of HIT is needed, steps should be taken to discourage practices that limit the free flow of information. The full draft recommendations report can be found n the page at the link provided.
http://www.healthit.gov/facas/calendar/2013/09/04/hit-policy-committee. In addition 39 comments were received in response to a request made by the three agencies involved (FDA, ONC and FCC). These comments can be found in Docket HHS-OS-2013-0003 at http://www.regulations.gov/#!docketBrowser;rpp=50;po=0;dct=PS;D=HHS-OS-2013-0003. The agencies have until January to complete the report
 
9/24/2013  FDA Final Mobile Medical Apps Guidance   
FDA released a final guidance entitled " Mobile Medical Applications" dated 25-Sep-2013. This guidance explains FDA's current policies regarding regulation of Mobile Medical Applications. It provides criteria and examples of Mobile Medical Apps that are considered Medical Devices; for these it explains which are subject to FDA regulation and which will not require compliance with the medical device regulations. It also explains criteria for which Mobile Applications, platforms, and services (e.g., distribution) are not considered regulated Medical Devices. This guidance is quite specific and definitive in many respects and for certain intended uses (e.g., medicine reminder systems, personal health coaching and others). The full guidance is at the link provided. 
9/20/2013  Australian Regulation of Medical software and Apps   
The Therapeutic Goods Administration of the Australian Department of Health released a document on 13-Sep-2013 entitled " Regulation of medical software and mobile medical `apps` ". This explains at a high level Australia's approach to regulation of medical software. It indicates a risk based approach is taken and that all medical devices are expected to meet the Essential Principles for safety and performance and any above Class 1 also require Conformity Assesment certification. The full guidance is at the link provided. 
9/14/2013  FDA Final Electronic Source Data Guidance   
FDA issued a FINAL"Guidance for Industry and Food and Drug Administration Staff - Electronic Source Data in Clinical Investigations" Spetember 2013. The full document is at the link provided. It discusses the value of electronic source data for clinical investigations as well as types of controls to ensure integrity and trace origin. AMong other requirements it states: "When data elements are transcribed from paper sources into an eCRF, the clinical investigator(s) must also retain the paper sources, or certified copies, for FDA review. Other records (electronic and paper) required to corroborate data in the eCRF (see section III.A.2.a) may also be requested by FDA during an inspection. 
8/28/2013  Agile Methods YouTube Video   
The link provided is to a YouTube video by Henrik Kniberg on Agile Methods on key concepts focused on product ownership. 
8/15/2013  FDA Connected Health Initiative   
FDA CDRH has increased its focus on networked medical devices, Health IT, wireless technologies, and telemedicine. They have established a web page providign an overview which then has links to pages related to Modbile Medical Apps, Medical Device Data Systems, Home Health and Consumer Device, Health IT, and wireless medical devices. The connected health FDA webpage is at the link provided. 
8/14/2013  FDA Radio Frequency Wireless Technology Gudance   
FDA issued a final guidance (draft was issued in 2007) entitled "Radio Frequency Wireless Technology in Medical Devices" issued on: August 14, 2013" on July 29, 2016. This guidance defines FDA expectations for both design coniderations and information to be provided in premarket submissions for devices that that utilize radio frequency (RF) wireless technology. This is in addition to any EMI/EMS and electrical safety information. 
8/14/2013  FDA CDRH Final Guidance for Wireless Technology   
FDA released a final guidance entitled " Radio-Frequency Wireless Technology in Medical Devices".

Section 3 addresses design, testing, and use of wireles devices including security, EMC, and maintenance.

Section 4 addresses information to be included in premarket submissions including a description with emphasis on how the design assures timely, reliable, and secure information transfer as well how risks are managed and whether alarm signasl are involved, and whether other products can connect wirelesly to the device. This section also discusses a risk-based approach to V&V, risks associated with security and EMC, test data summaries and labeling of wireless medical devices.

The full guidance is at the link provided.
 
8/6/2013  FDA Recognizes 25 Networking &Cybersecurity Stds   
FDA has recognized a total of 25 standards on medical device interoperability and cybersecurity. These standards can be categorized into 3 groups:
o Risk management standards for a connected and networked environment (IEC 80001 series and ASTM F2761-09);
o Interoperability standards that establish nomenclature, frameworks and medical device specific communications and including system and software lifecycle processes (ISO/IEEE 11073 series and ISO/IEC 15026-4);
o Cyber security standards from the industrial control area most relevant to medical devices (IEC 62443 series).

These include standards for communication for specific device types such as thermometers, glucose meters, pulse oximeters and others.

The full list is at the link provided.
 
7/22/2013  SoftwareCPR.com July 2013 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since 4/22/2013 and as of 7/22/2013. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
7/12/2013  ICS-CERT Alert regarding hard-coded passwords   
ICS-CERT is issuing this alert to provide early notice of a report of a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. 
7/12/2013  NIST draft outline of a cybersecurity framework fo   
NIST was directed to prepare a cybersecurity framework for critical infrastructure in Presidential Executive Order 13636. Healthcare was identified as one of the areas with critical infrastructure. This draft for comment is only an outline of the framework. 
7/12/2013  ONC contract with the Joint Commission   
ONC contract with the Joint Commission to investigate health IT-related safety events. The purpose of this contract is to ensure that there is an early detection system on health IT-related safety issues, including those associated with EHRs. 
7/12/2013  ONC guidance on annual surveillance plans   
ONC guidance on annual surveillance plans by authorized certification bodies. Authorized Certification Bodies are expected to conduct surveillance on EHRs that they have certified. This guidance provides the priorities for topics to assess in the surveillance plan. Safety-related capabilities and security capabilities are two of the four areas for priority identified in this guidance. 
7/12/2013  ONC Patient Safety Action & Surveillance Plan   
The final version of the ONC plan that has the objectives to use health IT to make care safer and to continuously improve the safety of health IT. 
7/9/2013  FDA MDR Draft Guidance   
The FDA published a draft guidance on Medical Device Reporting for Manufacturing on July 9, 2013 intended to supersede the 1997 guidance once it is finalized. The comment period is 90 days and electronic comments can be submitted to http://www.regulations.gov.

This guidance is structured as a series of questions and answers.
 
7/2/2013  US HHS Dep. Health IT Safety and Surviellance Plan   
The US Department of Health and Human Services (of which FDA is a part) published: Health Information Technology Patient Safety Action & Surveillance Plan.

The plan defines several types of action:
- Learn - mainly monitoring of safety of Health IT in the field
- Improve - Investigate adverse events and take corrective action. Set safety priorities and incorporate safety into certificaton criteria for Health IT while supporting research and development of testing, best practices, and training.
- Lead - Encourage private sector leadership for Health IT Safety and developed a risk-based regulatory framework for Health IT including for State goverments.

The full plan is at the link provided.
 
6/14/2013  Draft Cybersecurity Premarket Guidance   
OBSOLETE draft for historical comparison only. FInal issued Oct.. 2014. Look in news or library on our site for the final version.

FDA issued a draft guidance "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" dated June 14, 2013. Comments on this document should be submitted within 90 days at www.regulations.gov or in writing to FDA 5630 Fishers Lane, Room 1061, Rockville, MD 20852.

This guidance defines cybersecurity information requested by FDA in premarket submissions. It recommends that manufacturers provide justification for the security measures chosen, that they consider availability so security measures do not impede urgent medical actions. It also requests in the submission identification of cybersecurity hazards, design considerations, and their control measures, a trace matrix for this, a plan for providing validated updates and patches, documentation to demonstrate malware will not be present in the software distributed, and instructions/labeling related to recommended antivirus software and firewalls appropriate for the intended usage environment.

The full guidance is at the link provided.
 
6/13/2013  FDA Cybersecurity Safety Communication   
FDA issued a safety communication: Cybersecurity for Medical Devices and Hospital Networks. This notices is intended for hospitals, user facilities, health care IT and procurement staff and biomedical engineers.

It indicates FDA has become aware of vulnerabilties and incidents where medical devices have been affected by malware and timely security software updates have not been provided or installed. FDA is not aware of actual patient injuries.

This communication recommends a number of actions. The full text is at the link provided.
 
6/13/2013  Washington Post Medical Dev. Cybersecurity Article   
The Washington Post published an article discussing some of the research challenging medical device security which is being addressed by FDA and the Department of Homeland Security. A link to the article is attached. 
5/24/2013  FDA Mobile App Compliance Letter.   
FDA issued a compliance letter to a company distributing an uncleared Mobile App for reading urine analysis strips on May 21, 2013. The full text of this letter is on our warning letter page. 
4/25/2013  EN 62304 FAQ   
Provides answers to questions that have been asked to notified bodies regarding using EN 62304 for regulatory purposes in the EU. 
4/25/2013  ISO 14971 versus the EU Commission   
The debate over ISO 14971 continues between industry and the European Commission. The joint ISO & IEC working group responsible for ISO 14971 met and determined that ISO 14971 still represents the state of the art for medical device risk management and that no changes were needed despite the position of the EC that ISO 14971 does not meet the essential requirements of the directives. Several notified bodies and COCIR/Eucomed have produced guidance for how manufacturers can use ISO 14971 in claiming conformance to the essential requirements. 
4/24/2013  FDA releases Mobile App   
FDA released a MedWatcher Mobile App for individuals to user to report adverse events for medical devices. Their notice is at the link provided and the app is available from Apple and Google stores. 
4/24/2013  Whole Slide Imaging - Class III?   
The link provided is an article regarding FDA's current thinking that whole slide imaging will be treated as Class III which is a signficant barrier in terms of time and cost. 
4/22/2013  SoftwareCPR.com April 2013 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since December 10, 2012 and as of 4/22/2013. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
4/21/2013  SoftwareCPR Mobile App V&V Service   
Brian Pate of SoftwareCPR now leads our specialized validation services for Mobile Medical Apps (MMApps) including our own simulator based testing and automated unit and functional testing. For Mobile Apps that are regulated medical devices we provide full design control and premarket submission support by compliance and validation experts with specific Mobile App technical knowledge that includes oversight of App development vendors. 
4/18/2013  IEC 62304 Revisions and Scope expansion update   
IEC SC 62A has agreed that the 2nd edition of 62304 will be expanded to cover all Health Software not just medical devices. In the interim an amendment will be issued to clarify current safety classification and also application of 62304 for legacy software (this was originally intended to be done as part of 2nd Edition) for medical devices. 
3/17/2013  Health IT US Regulation Update   
How Health IT will be regulated was being discussed by the US government in February.

A Health IT Patient Safety Action & Surveillance Plan was circulated by the Office of the National Coordinator for HIT (ONC) in December and is at the link provided below.

A report on An Oversight Framework for Assuring Patient Safety in Health was released by the Bipartisan Policy Center in February and is at http://bipartisanpolicy.org/sites/default/files/Patient%20Safety%20Health%20IT.pdf .
The ONC solicited members for a work group for developing the report on a framework for regulating HIT required by the Food and Drug Administration Safety Innovation Act (FDASIA) legislation that was adopted last summer. Information on Applications for this working group are at http://www.fcc.gov/membership-applications-sought-fda-safety-innovation-act-workgroup .
 
3/16/2013  Australian Premarket Assessment Update   
Australia has released a proposal paper on changes to the premarket assessment requirements for medical devices.

This proposal paper is seeking to:
• refine a risk-based approach to regulation;
• ensure that the TGA undertakes a more comprehensive review of higher risk medical devices, in particular implantable and surgically invasive medical devices intended for long term use;
• increase transparency and accountability of the TGA's decision making; and
• allow Australian manufacturers of lower risk medical devices to have the option of European Conformity assessment for supply of their devices in Australia.

The proposal can be found at the link provided.
 
2/22/2013  FDA Distinguishing Recalls from Enhancements Draft   
The FDA published a draft guidance on Medical Device Reporting for Manufacturing on Distinguishing Medical Device Recalls from Product Enhancements and Associated Reporting Requirements - Draft Guidance for Industry and Food and Drug Administration Staff. This guidance is structured as a series of questions and answers and is at the link provided. 
2/1/2013  Philips Medical Device Security Vulnerability   
The report at the link provided of a presentation at the S4 SCADA Conference in Miami on Jan. 17, 2013 discusses a security vulnerability in a medical device. 
1/29/2013  2012 FDA Software Warning Letter Count   
The total number of FDA software, computer system, and electronic records warning letters in 2012 is approximately 30 which is up from 18 in 2011 and fewer in 2009 and 2010. This is based on the keyword searches we perform on a regular basis but is not guaranteed to be comprehensive. 
1/3/2013  FDA eCopies eSubmitter Quick Reference Guide   
FDA has provided a tool that allows creation of a premarket submission eCopy that is meets FDA requirements. The guide for this tool is at the link provided. 
1/3/2013  FDA Final eCopy Guidance   
FDA has released a final version of the guidance "eCopy Program for Medical Device Submissions" dated Dec. 31, 2012. This indicates that section 1136 of FDASIA requires submission of an eCopy for 510(k)s, de novo, PMA, IDE, PDP and other submissions but not including 513(g)s and a few others. The eCopy must contain all information provided in paper form. It may include additional information with a reference indicated in the paper copy. A cover letter must be provided to explain any differences.Note that a 510(k) requires 2 copies and a PMA 6. The full guidance is at the link provided. 
1/3/2013  FDA Revised 510(k) Refuse to Accept Policy   
FDA has a fully revised guidance "Refuse to Accept Policy for 510(k)s" dated Dec. 31, 2012. This includes a series of checklists including determining if the device is subject to 510(k), referring to all elements of the software submission guidance, and allowing for alternative approaches to information provided along with justification for the alternatives. The full guidance is at the link provided. 
1/3/2013  FDA Revised PMA Filing Acceptance Guidance   
FDA has issued a revised guidance "Acceptance and Filing Reviews for Premarket Approval Applications (PMAs)" dated Dec. 31, 2012. TThe full guidance is at the link provided. 
1/3/2013  FDA Sanofi Aventis recall of Mobile App   
This is one of the first mobile medical app recallsl we have seen posted. It is for an app that was only intended to be released in Brazil but was published on the iPhone store and available in the U.S. Its intended use is diabetes education. The full recall excerpt is available on our Recalls page dates Jan 2, 2013. 
12/28/2012  AAMI/FDA Device Interoperability SummitProceedings   
AAMI and FDA held a two day event Oct 2-3, 2012 as a summit on interoperabilty. 260 people attended. AAMI has authorized widespread distribution of the proceedings document from this event. It is at the link provided. 
12/9/2012  SoftwareCPR.com December 2012 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since July 27, 2012 and as of December 10, 2012. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
12/8/2012  GHTF Closing Statement   
The GHTF is ending and will be replaced by a regulator-only organization, the International Medical Device Regulators Forum (IMDRF). This is the closing statement by the GHTF. 
12/8/2012  GHTF Guidance on Essential Principles of Safety   
The Global Harmonization Task Force revision of its guidance on Essential Principles of Safety and Performance of Medical Devices. It includes requirements for software that are similar to the European Union’s essential requirements relating to software. 
12/2/2012  FDA draft Electronic Source Data Guidance   
FDA issued a draft "Guidance for Industry and Food and Drug Administration Staff - Electronic Source Data in Clinical Investigations" Nov 30, 2012. The full document is at the link provided. It discusses the value of electronic source data for clinical investigations as well as types of controls to ensure integrity and trace origin. 
11/12/2012  IEC 62366 CDV-1 Amendment Draft for Review   
AAMI/CDV-1 62366:2007/A1 (IEC/SC62A/826/CDV) -- Medical devices - Application of usability engineering to medical devices, Amendment 1.

This amendment is out for comment and addresses legacy user interfaces and 62366 conformance for User Interfaces of Unknown Provenance (UOUP).

he 62366 amendment draft can now downloaded free from AAMI. Go to the AAMI web site at the link provided or search standards for 62366.
 
11/5/2012  IEC 62304 2nd Edition Draft for Review   
The first committee draft of the second edition of IEC 62304 Medical device software life cycle processes has been circulated internally for comment. Major changes include a revision of how software safety class is determined which could reduce the tendency towards most software being Class C, clear requirements for legacy software that explain how conformance can be established without full development conformance, and an informative process reference model. Comments are due by January 11, 2013. 
10/18/2012  FDA issues draft revised PMA Clock Guidance   
FDA revised its "Guidance for Industry and Food and Drug Administration Staff - FDA and Industry Actions on Premarket Approval Applications (PMAs): Effect on FDA Review Clock and Goals" October 15, 2012. A final of this will supersede the previous version dated June 30, 2008. The full document is at the link provided. 
10/18/2012  FDA Revises 510(k) Clock Guidance   
FDA revised its "Guidance for Industry and Food and Drug Administration Staff - FDA and Industry Actions on Premarket Notification (510(k)) Submissions: Effect on FDA Review Clock and Goals" October 15, 2012. This obsoletes the previous version dated May 21, 2004. The full document is at the link provided. 
10/17/2012  FDA Device Center draft Submission e-copy guidance   
The device center at FDA has been requested and allowing electronic copies of submission information in a variety of forms for a number of years but with no standard approach. The draft guidance at the link provided is a step towards clarifying this and allowing e-copies to replace all but a certain number of paper copies (depending on submission type) provided there are signed paper certifications/cover letters with each e-copy. 
10/17/2012  ISO14971 no longer compliant with EU requirements   
A new version of EN 14971 was published and harmonized in the Official Journal of the EU. ISO 14971 is now may not ensure compliance with EU essential requirements for medical devices. Specifically 14971 allows the manufacturer to discard negligible risks but all risks must be taken into account and reduced as much as possible to satisfy EU requirements and "as low as reasonably practicable" is not acceptable if economic consideration are included. In addition, an overall risk-benefit analysis is always required to meet EU requirements even if it not required in some circumstances under 14971. 
10/17/2012  MIT article on Medical Device Computer Viruses   
An article on the problems of unpatched medical device operating systems and malware impact on the devices and Hospitals is at the link provided. 
10/15/2012  EU and MDD revised drafts   
The European Union has released a draft revised Medical Device Directive and In vitro Diagnostic Directive for public consultation. These are not amendments to the existing directives, but entire new documents. The existing Implantable Medical Device Directive is incorporated into the new MDD.

Changes in both the MDD and IVDD relating to software include:
-Extending the PEMS requirement in the old MDD to apply to standalone software that is a medical device in the new MDD.
-Changing the requirement for “software must be validated according to the state of the art” in the old MDD to “software shall be developed and manufactured according to the state of the art” in the new MDD.

-Adds a new requirement for Software in mobile computing platforms. This new
requirement states that software intended to be used in combination with mobile
computing platforms shall be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards to level of light or noise).

Software is also mentioned in the requirement for Interaction of devices with their
environment.
 
10/12/2012  AAMI/FDA Interoperability Summit presentations   
Presentations made at the AAMI/FDA Interoperability Summit on October 1-2, 2012 can be found at the link provided. 
10/12/2012  AAMI/UL collaboration on interoperability standard   
Press release from AAMI and UL regarding their collaboration to produce a series of interoperability standards. 
10/12/2012  EU proposed new In Vitro Device Directive   
Draft of the revised IVDD is at the link provided. 
10/12/2012  EU proposed new Medical Device Directive   
Draft of the revised MDD is at the link provided. The existing Active Implantable Device Directive is incorporated into the new MDD. 
10/12/2012  FCC report on Mobile Health   
An FCC mHealth task force reported recommendations to government and industry to address barriers to rapid mHealth deployment. 
10/12/2012  GAO report on FDA review ofmedical device security   
The General Accounting Office assessed how FDA reviewed two implantable devices with wireless communications. Researchers were able to disrupt communications with these devices. The report is at the link provided. 
9/27/2012  AAMI TIR45 Agile Methods Now Available   
AAMI has published AAMI TIR45: 2012 Guidance on the use of AGILE practices in the development of medical device software. FDA staff was involved in development of this guidance for compliant use of Agile methods. The document can be ordered from AAMI.org at the link provided. 
9/18/2012  AAMI seeking new instructors   
AAMI is planning a 2 day train the trainer session March 21-22. The application period closes Nov. 30. For those of you interested in becoming instructors for AAMI's popular medical device compliance course details are at the link provided. SoftwareCPR has developed and instructs some of these courses. 
9/11/2012  Changes in FDA Registration and Listing FAQ   
FDA issued a summary of changes to device registration and lising effective Oct 1, 2012 along with answers to frequently asked questions. This is available at the link provided. 
8/20/2012  FDA Standards Recognition Modification 20-Aug-2012   
FDA issued a list of modifications to its standards recognitions. The link provided is the webpage where FDA posts each modification list. 
8/10/2012  AAMI SW87 MDDS Quality System guidance issued   
The final version of ANSI/AAMI SW87:2012 Application of quality management system concepts to medical device data systems has been published. FDA initiated and participated in this work. Sherman Eagles, Sandy Hedberg, and Molly Ray of SoftwareCPR were on the working group and Alan Kusinitz of SoftwareCPR was a reviewer. SoftwareCPR can provide MDDS developers new to FDA regulation with traing and compliance support focused on efficient approaches.

The document is copyrighted by AAMI so those interested will need to purchase it from AAMI at the link provided. Note: it may take some time from the date of AAMI's announcement to those of us on the committees to actual availability on their website.
 
7/27/2012  China SFDA Draft Software Premarket Requirements   
The SFDA prepared a draft document entitled "Explanations on the Basic Requirements of Application for Registration of Medical Device Software" date 4/28/12. This was initially translated to English by JIRA (Japan Industries Association of Radiological Systems) and Shawn Yang of SoftwareCPR(a native chinese speaker and US medical device software expert) reviewed the original Chinese and made some corrections and clarifications to the translation. Paid subscribers to softwarecpr.com and Standards Navigator subscribers can download this from our website library with their login.

The requirements are modeled on FDA's Submission guidance and 62304 but with some signficant differences including using 62304 safety classes which are not always consistent with FDA's Levels of concern and not requiring design specifications. Although not stated in the document we have heard from a number of sources that the SFDA has been expecting version numbers in the field to match the version number in the cleared application unlike FDA which does not require new submissions for all changes.
 
7/27/2012  SoftwareCPR.com July 2012 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since February 29, 2012 and as of July 27, 2012. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
7/11/2012  Electronic Health Record Incentive programs   
The link provided is to the Official US Government Web Site for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Programs. The terms EHR and Electronic Medical Record(EMR) are sometimes used interchangeably. The issue of what systems FDA does now or might in the future regulate as a medical device is not addressed via information on this incentive program. 
7/11/2012  FDA Clinical Data for Imaging Diagnosis submission   
FDA released a new guidance dated July 3, 2012 entitled " Clinical Performance Assessment: Considerations for Computer-Assisted Detection Devices Applied to Radiology Images and Radiology Device Data - Premarket Approval (PMA) and Premarket Notification [510(k)] Submissions. This guidance discusses types of Computer Aided Detection devices (CADe) and appropriate clinical data to include in 510(k)s and PMAs for these devices. This guidance is focused on radiology imaging devices that identify, mark, highlight, or in any other manner direct attention to portions of an image, or aspects of radiology data, that may reveal abnormalities. 
7/1/2012  MDICC draft concept paper   
Medical Device Interoperability Coordinating Council draft concept paper
This group is being facilitated by the FDA to encourage interoperability between medical devices.
 
5/29/2012  Calculation software recall reclassified Class I   
Baxa Abacus Total Parenteral Nutrition (TPON) Calculation Software from 2009 reclassified as the most severe recall type. This is considered Laboratory Information software (LIMS) used in ordering total parenteral nutrition. Class I recalls for LIMS are rare but the importance and potential risk of incorrect calculation are increasingly visible. The link provide is to the FDA update on this recall. 
5/29/2012  FCC allocates spectrum for wireless medical device   
The FCC voted to allocation special seperate wireless spectrum for devices implanted or attached to the the body for monitoring purposes. 
5/22/2012  EU 62304 Conformity FAQ Invitation Letter   
An open invitation letter was sent out with the involvement of members of CENELEC TC 62, NBMED, and the VDE Testing and Certification Institute asking for questions that could potentially be included in a FAQ document on 62304 specifically addressing EU conformity. This document could be used by manufacturers and notified bodies to achieve a more consistent usage of the standard in practice. The letter is at the link provided. It includes an email address to send questions on interpretation of 62304. The letter asks that questions be sent by the end of May, but it is not likely to be circulated widely by then, so if you have questions send them in (to the address in the letter – not to me!) even after May. 
5/16/2012  AAMI Software and Health Information Technology   
The Association for the Advancement of Medical Instrumention(AAMI) has is reorganizing its committee structure related to Software, Health IT, networks and related topics by forming a Software and Health Information Technology (SWIT) committee to oversee all related standards activities. The current plan is that this committee will coordinate all work in the Software, IT, MDDS, Interoperability, Mobile APPs, and Device Security committees to ensure consistency and avoid overlap. The first meeting of the SWIT will be held in December 2012 in conjunction with AAMI Standards Week in Daytona, FL. 
4/27/2012  Sherman Eagles wins ACCE award   
The American College of Clinical Engineering issued its ACCE 2012 Challenge Awards. Sherman Eagles of SoftwareCPR received an award achievement in the field of health technology management for his leadership of the working groups for IEC 80001-1 for risk management of IT networks that incorporate medical devices and the AAMI Medical Device Data System-MDDS/Quality Systems recommended practice. 
4/12/2012  FDA Final 513(g) Guidance Requests for Information   
FDA issued a final Guidance "FDA and Industry Procedures forSection 513(g) Requests for Information under the Federal Food, Drug, and Cosmetic Act" dated April 6, 2012 to replace the April 29, 2010 draft. This guidance is issued jointly by CDRH and CBER. This guidance defines the process for sending in a request to FDA for information regarding the regulatory classification of product including whether FDA considers it a device and if so how it is regulated. There is a user fee for submission of a request. 
3/27/2012  IEC 62366 Fast Track Amendment Proposal   
A proposal has been made for a fast-track amendment to IEC 62366 related to use with legacy products. Application of "62366 Medical devices - Application of usability engineering to medical devices" to legacy devices has been inconsistent and problematic and this proposal is for a fast track amendment to address what is called User Interface of Unknown Provenance (UOUP) . This proposal includes a draft for a section to address this including review of field history and a simplified approach for addressing usability in terms of identification of frequently used and primary operating functions and a risk management review. 
3/5/2012  SoftwareCPR.com February 2012 Newsletter   
This SoftwareCPR.com newsletter lists items added to the web site since September 25, 2011 and as of February 29, 2012. It serves as an easy reference to find new or updated items that may be of interest to you and provides a full index of SoftwareCPR educational items. You can click on sections of the document and the related web page should open. 
2/29/2012  Insulin Infusion Pump Hacking Article   
An article on the QMED website reporting on hacking of Medtronic Infusion pumps using remote wireless capability that could allow patient harm. 
2/2/2012  EU Guidance Classification of Standalone Software.   
The European Commission has issued a final guidance on standalone software entitled: "GUIDELINES ON THE QUALIFICATION AND CLASSIFICATION OF STAND ALONE SOFTWARE USED IN HEALTHCARE WITHIN THE
REGULATORY FRAMEWORK OF MEDICAL DEVICES." The full document is at the link provided.
 
2/2/2012  IOM Report on Health IT and patient Safety   
The Institute of Medicine report is at the link provided. 
1/27/2012  EU Guidance Classification of Standalone Software   
The European Commission has indicated it plans to release a final guidance on standalone software shortly entitled: "GUIDELINES ON THE QUALIFICATION AND CLASSIFICATION OF STAND ALONE SOFTWARE USED IN HEALTHCARE WITHIN THE
REGULATORY FRAMEWORK OF MEDICAL DEVICES." A full near final draft is available to softwarecpr.com subscribers in the document library on this website.
 
1/27/2012  UL 1998 Revisions out for comment   
UL 1998 revision comment period end March 5, 2012. The suggested revision include :
-reducing ambiguitiy in the applicability of the requirements for Negative Condition Branch failure mode and stress testing.
- revision of requirements to address the effects of power supply voltage variations
- revised formating of Table A2.1 to clarify acceptable measures for each requirement.

If you are interested in the exact proposals please leave a message on our website.
 
1/1/2012  SoftwareCPR.com News Items 1999-2011   
The pdf at the link attach is a report of all news items posted from 1999-2012 except for news items rlated to documents also posted in the Library on the site as these remain available by searching the library.