Medical Device Software: A Regulatory Update

Pieter de Vries 9 December 2014

Today’s presentation

• Software validation

– IEC 82304-1

• Legacy software

– IEC 62304 Amd.-1

9 December 2014 2 MDProject - Pieter de Vries

MDD (M5) – E.R. 12.1a

“…the software must be validated according to the state of the art, taking into account the principles of development lifecycle, risk management, validation and verification…”

3 9 December 2014 MDProject - Pieter de Vries

How to address ER 12.1a?

• Typically: IEC 62304

But….

9 December 2014 4

ER# Description Applicable? Applied standard Evidence

12.1a must be validated Y EN 62304:2006 Software Test Report

MDProject - Pieter de Vries

Validation

• Confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled

(ISO 9000)

5 9 December 2014 MDProject - Pieter de Vries

ISO 13485

• Shall be performed …. to ensure that validation the resulting product is capable of meeting the requirements for the specified application or intended use

• Validation shall be completed prior to the delivery or implementation of the product

9 December 2014 6 MDProject - Pieter de Vries

QSR

• Validation shall be performed under defined operating conditions

• Validation shall ensure that devices conform to defined user needs and intended uses

• Validation shall include testing under actual or simulated use conditions

7 9 December 2014 MDProject - Pieter de Vries

9 December 2014 8 MDProject - Pieter de Vries

Validation vs. Verification

Verification: We have built the product right

Validation: We have built the right product

9 9 December 2014 MDProject - Pieter de Vries

Why is validation important?

• Software failures responsible for 24% of all medical device recalls (FDA, 2011):

– Complexity of user interface

– Complexity of software

– Software reuse and SOUP

– Unrealistic risk assessments

10 9 December 2014 MDProject - Pieter de Vries

IEC 82304-1: Health software

• Product standard for standalone software

• Intended to cover aspects that were not covered by IEC 62304

9 December 2014 11 MDProject - Pieter de Vries

62304 vs. 82304-1

12 9 December 2014

Validation PRD

MDProject - Pieter de Vries

Health software

• Software intended to be used specifically for managing, maintaining or improving health of individual persons, or the delivery of care

9 December 2014 13 MDProject - Pieter de Vries

Health

• State of complete physical, mental and social well-being and not merely the absence of disease or infirmity

(WHO 1946)

9 December 2014 14 MDProject - Pieter de Vries

Examples in scope

• SW for individuals in fitness centres

• Training plan SW for rehabilitation purposes

• SW for finding best conception moment

• HIS (ZIS) / LIS / RIS

• Mobile Apps

9 December 2014 15 MDProject - Pieter de Vries

3-Steps approach

• Step 1: Document Requirement Specification

• Step 2: Apply IEC 62304

• Step 3: Validation plan + execute + report

• The report shall be reviewed by the management

• Validation manager approves the report by signing it

9 December 2014 16 MDProject - Pieter de Vries

Validation considerations

• Where?

• What?

• Who?

• Test methods?

• Number?

9 December 2014 17 MDProject - Pieter de Vries

Usability validation

9 December 2014 18 MDProject - Pieter de Vries

Conclusions IEC 82304-1

• Product standard

• Fills the gaps of IEC 62304

• Principles can be used as of tomorrow

9 December 2014 19 MDProject - Pieter de Vries

Today’s presentation

• Software validation

– IEC 82304-1

• Legacy software

– IEC 62304 Amd.-1

9 December 2014 20 MDProject - Pieter de Vries

Changes in Amd. 1

• Software safety classification

• Technical clarifications

• Legacy software

• In parallel, the 2nd edition of IEC 62304 is under development

9 December 2014 21 MDProject - Pieter de Vries

Legacy software

• Software that was created before 62304

• Two options:

– Follow clauses 4..9

– Plan B (Annex E)

• Manufacturers need to demonstrate compliance with IEC 62304 also for legacy software

9 December 2014 22 MDProject - Pieter de Vries

3-Steps approach

• Step 1: Perform a gap analysis of available documentation generated during the original development process of the legacy software

• Step 2: Evaluate post-production information

9 December 2014 23 MDProject - Pieter de Vries

Step 3

• Determine and perform the necessary actions:

– Determine software safety classification

– Document SRS on functional level, include risk control measures

– Test against SRS

– Perform retrospective risk assessment

9 December 2014 24 MDProject - Pieter de Vries

Modifications

• Any modifications made to the legacy software shall follow maintenance requirements of the standard (clause 6)

9 December 2014 25 MDProject - Pieter de Vries

Conclusions IEC 62304 Amd. 1

• How to deal with legacy software

• Technical clarifications

• Software safety classification

9 December 2014 26 MDProject - Pieter de Vries

Thank you for your attention!

27 9 December 2014 MDProject - Pieter de Vries