ehealth - medical systems interoperability & mobile health
DESCRIPTION
The Medical Device industry is rapidly adopting technologies that enable communication and connectivity of health products and systems to improve both speed and quality of care as well as patient safety. The users (i.e. hospitals and others) are demanding an approach that will support interoperability among multiple independently sourced medical devices. Industry will require standardization to support such interoperability. Government and regulators, on behalf of the patients and in compliance with their mission to protect public health, as well as users and manufacturers require that such interoperability is safe. This complementary webinar will introduce the eHealth sector and applications, outline the challenges and risks inherent in connecting heterogeneous equipment into medical device systems, and provide insights to how manufacturers can demonstrate compliance with the rapidly changing regulatory landscape for interoperable medical devices. This webinar was presented by UL eHealth experts on October 30, 2013.TRANSCRIPT
UL and the UL logo are trademarks of UL LLC © 2013
eHealth – Medical Systems
Interoperability & Mobile Health
October 30, 2013
Presenters:
Anura Fernando - Principal Engineer, Medical Software & Systems Interoperability
Mark Leimbeck – Program Manager, Quality and Training
Moderated by:
Laura Elan – Program Manager, Global Service Lead - eHealth
Copyright © 2013 UL LLC
AGENDA
Why Are We Here?
New Devices and the Need for Safe Interoperability
Using Standards to Support Regulations
Conclusion
2
Copyright © 2013 UL LLC
Why Are We Here?
RISK!
More specifically, from IEC 60601-1, Clause 16.1
.…The MANUFACTURER of an ME SYSTEM that is (re)configurable
by the RESPONSIBLE ORGANIZATION or OPERATOR may use
RISK MANAGEMENT methods to determine which configurations
constitute the highest RISKS and which measures are needed to
ensure that the ME SYSTEM in any possible configuration does not
present an unacceptable RISK….
3
Copyright © 2013 UL LLC
Examples
ABSENCE OF INTEROPERABILITY
PATIENT CONTROLLED ANALGESIA PUMPS1 - VA representatives
recently stated that PCA pumps with an integrated CO2 monitor
could have prevented 60% of adverse events in 69 root cause
analyses related to PCA pumps.15
Copyright © 2013 UL LLC
4
Examples
INTEROPERABILITY “INDUCED” ERRORS
EHR prompt nearly kills prison inmate2
“An inmate at a California correctional facility nearly received a lethal
dose of heart medication last week at the prompting of a newly
implemented electronic health record system.”
Copyright © 2013 UL LLC
5
Regulatory Response
It Has Come to Our Attention Letter†
“It has come to our attention that you are currently marketing the XXXX
analyzer …
… Since your app allows a mobile phone to analyze the dipsticks,
the phone and device as a whole functions as an automated strip
reader. When these dipsticks are read by an automated strip reader,
the dipsticks require new clearance as part of the test system.
Therefore, any company intending to promote their device for
use in analyzing, reading, and/or interpreting these dipsticks
need to obtain clearance for the entire urinalysis test system…”
Copyright © 2013 UL LLC
6 † FDA Website 5/21/2013
Who is Responsible?
Manufacturer of any product which is1
“an instrument, apparatus, implement, machine, contrivance, implant,
in vitro reagent, or other similar or related article…
• intended for use in the diagnosis of disease or other conditions, or in
the cure, mitigation, treatment, or prevention of disease… or
• intended to affect the structure or any function of the body of man or
other animals…”
1. section 201(h) of the Federal Food Drug & Cosmetic (FD&C) Act it will be regulated by the Food and Drug Administration
(FDA)
Copyright © 2013 UL LLC
7
And What is the Manufacturer
Responsible For?
Preamble5 Comment #4
“…In fact the new regulation is less prescriptive and gives the
manufacturer the flexibility to determine the controls that are
necessary commensurate with risk.
The burden is on the manufacturer, however, to describe the types
and degree of controls and how those controls were decided
upon…”
Copyright © 2013 UL LLC
8
What Decisions are Being Made?
21 CFR 820.302 Design controls. Each manufacturer shall:
• establish and maintain procedures to control the design
• ensure that the design requirements address the:
• intended use of the device,
• needs of the user and patient
• include software validation and risk analysis, where appropriate…
9
Copyright © 2013 UL LLC
Who is Responsible?
Management is ultimately responsible for determining and
implementing risk based decisions to ensure the safety and
effectiveness of the device
10
Copyright © 2013 UL LLC
The World Today – New Devices and the
Need For Safe Interoperability
Copyright © 2013 UL LLC
12
Smart Grid – Even More Heterogeneity
Slide 13 http://energyinformative.org/wp-content/uploads/2012/01/smart-grid.jpg
Key Common Challenges for Systems Integrators
Understanding What Can Go Wrong
Lack of Clarity on Design Requirements and Needs
Inadequate Risk Controls
Time and Cost
Responsibility / Accountability (Who Owns the System?)
Slide 14
…can result in…
Slide 15
- Improper V&V – no pre-release
integration testing http://50quidsoundboy.net/wp-content/uploads/2011/05/thumb-21367-radiation_therapy.jpg
- Integrated re-used sw into
incompatible hardware (no interlocks)
- “unlikely” sequence of keystrokes
Ariane 5
Floating point value too large to be
represented by signed integer
Therac - 25
Mars Climate Orbiter
- Mismatched units
So, Are There Medical Device and HIT Risks?
Slide 16
http
://henic
an.c
om
/2011
http://www.telemedicineinsider.com/
Acute Care
Telemedicine
A Growing “Ecosystem” of Healthcare Systems
Slide 17 http://www.cs.purdue.edu/homes/bertino/IIS-eHealth/images/ehealth_full.jpg
…connected via communications technology
creates the world of eHealth and mHealth
18
http://intpmcomms.com/wp-content/uploads/2010/08/iStock_000011296304XSmall1.jpg
“The Future” is Here
Slide 19
http
://ww
w.th
em
ary
sue.c
om
/wp
-conte
nt/u
plo
ads/2
012/0
1/tric
ord
er-s
pock.jp
g
Addressing Safety and Security
Slide 20
http://scholar.lib.vt.edu/ejournals/JOTS/v32/v32n1/images/mcquade1.jpg
Safety and Security Defined and Evolving
SAFETY: freedom from unacceptable risk [ISO 14971:
2007]
SAFETY: freedom from unacceptable RISK of physical
injury or damage to the health of people or damage to
property or the environment
[SOURCE: IEC 80001-1:2010, definition 2.30]
DATA AND SYSTEM SECURITY: an operational state of a
medical IT network in which information assets (data and
systems) are reasonably protected from degradation of
confidentiality, integrity, and availability. [IEC 80001-1:
2010] Slide 21
FDA “Accessory Rule” – Avoiding Weak Links
From FDA Mobile Medical Application Draft Guidance:
“Accessories to classified devices take on the same classification as
the "parent" device. An accessory such as software that accepts
input from multiple devices usually takes on the classification of the
"parent" device with the highest risk, i.e., class.”; Final Rule, Medical
Devices, Medical Device Data Systems, 76 Fed. Reg. 8637, 8643-
8644 (Feb. 15, 2011).
The Medical Device Data Systems (MDDS) Final Rule changes
this and allows for ease of innovation
Slide 22
Regulations Begin Considering the Risks
FDA Final Rule: MDDS – 15 Feb 2011
FCC Requirements for MBAN and FDA MOU – 24 May 2012
Draft Guidance for Home Use Devices – 12 Dec 2012
FDA Draft Guidance: Management of Cybersecurity – 14 June 2013
FDA Guidance: RF Wireless Technology…– 13 Aug 2013
FDA Final Rule: Unique Device Identification Final Rule – 24 Sept 2013
FDA Draft Guidance: Global UDI Database – 24 Sept 2013
FDA Guidance: Mobile Medical Applications – 25 Sept 2013
23
Are You an “App” Developer?
Low Risk – Unregulated?
Higher Risk – Regulated?
Have you considered the uses?
VS.
Have you considered the users?
VS.
Have you considered the environment?
WWW
Acme Insurance
What are the risks with safety-related data?
1001010010100101101010
Incorrect Information Exchange
31
1001010010100101101010 X
Single Event Upset or Data Corruption
EXAMPLE:
Information Not Provided
32
No Data
EXAMPLE:
Incorrect Timing of Information
33
1001010010100101101010
Information provided when app is inactive
EXAMPLE:
Premature Termination
34
EXAMPLE:
Dropped Signal
Have you considered systems safety and security?
WWW
Acme Insurance
What could go wrong?
36
WWW
Acme
Insurance
Do you test to support your safety claims?
Modified from: http://www.fda.gov/ucm/groups/fdagov-public/documents/image/ucm260345.jpg
Do you test to support your security claims?
38
)))))))
Cryptographic Verification
http://img.mit.edu/newsoffice/images/article_images/20110214123646-1.jpg
Using Standards to Support Regulations
Copyright © 2013 UL LLC
Assurance Cases Can Help Support Claims
Slide 40
https://buildsecurityin.us-cert.gov/bsi/1051-BSI/version/default/part/ImageData/data/Assurance_Cases_and_LifeCycle_Processes.png
Standards Can Help Guide Assurance Cases
Slide 41
https://buildsecurityin.us-cert.gov/bsi/1051-BSI/version/default/part/ImageData/data/Assurance_Cases_and_LifeCycle_Processes.png
Safety Standards
Standards for eHealth and mHealth Interoperability
Aug 6, 2013 FDA Recognized Consensus Standards Support Interoperability:
There are 25 new standards for interoperability grouped mainly into three categories:
1. Managing risk in a connected and networked environment;
2. Nomenclature, frameworks and medical device specific communications,
including system and software lifecycle process;
3. Cybersecurity standards from the industrial control systems arena that are
relevant to medical devices.
Coming soon:
AAMI / UL 2800 – interoperable medical device interface safety
…and many more are here and coming…
Slide 42
UL Works Directly with Government Agencies
To Help Inform Health IT Policy
43
FDA Safety and Innovation Act (FDASIA WG)
http://www2.idexpertscorp.com/images/uploads/ehr.jpg http://static.ddmcdn.com/gif/wireless-network-1a.jpg http://www.commercialintegrator.com/images/
We Have The Technology…We Can Build It… Standards
and Regulations are Emerging…
Are You Prepared ???
44
IDEA PRODUCT
&
SYSTEM
Managing innovation and regulatory change
Mobile Medical Applications
Wireless Medical Devices
Hospital IT Equipment Providers
http://www.securedgenetworks.com
Managing innovation during regulatory change
IDEA PRODUCT
In the Development Cycle or Already in the Field
Technological
framework
Safety
Framework
Safety
Framework
Regulatory
Framework
UL can be
your
partner
Comprehensive
Suite of Services
Mobile Medical Apps
Advisory services for medical device classification, training navigation of regulations and submission support,
Quality Management System registration
Assessment to interoperability standards
Usability advisory services, testing, and certification
FDA Submission support including pre-audit services
EMC and wireless co-existence testing
Clinical & pre-clinical testing and test planning
Wireless Medical Devices
• Advisory services for satisfying regulatory guidance
• Testing services using international consensus standards to support regulatory compliance claims:
• Coexistence
• Performance
• Security
• Data integrity
• Quality of service (QoS)
• Continua Alliance Testing
• Safety / EMC
46
Thank You For Your Interest
How can UL help you? More information – www.ul.com/eHealth
Email: [email protected]
Hospital IT Infrastructure
• Advisory services for Medical Device Data Systems (MDDS) classification and regulatory strategy
• Testing / conformance to global standards (including recent FDA recognized consensus standards for interoperability)
• Advisory services for medical device classification, training, and regulatory submission support for system integrators