Friday 16 August 2019
By Mitch on Friday 16 August 2019, 13:44
We continue this series of articles on cybersecurity with a free and non-exhaustive review of UL 2900-1 standard.
What is UL 2900-1? This standard was published in 2017 by Underwriters Laboratory (UL). It contains technical requirements on cybersecurity for network connectable products. A collateral UL 2900-2-1 focuses on connectable healthcare and wellness systems. UL 2900-1 and UL 2900-2-1 are FDA recognized standards. Thus, applicable to medical devices.
Friday 26 July 2019
By Mitch on Friday 26 July 2019, 13:34 - Regulations
The ANSM French Competent Authority published in July 2019 a draft guideline on cybersecurity for medical devices. The European medical device sector should greatly applaud this initiative. This is the first and only guideline on cybersecurity with regard to the European medical device regulations.
Friday 19 July 2019
By Mitch on Friday 19 July 2019, 14:10 - Regulations
The GMED notified body has published a guide on substantial changes: named Guidance document for the interpretation of significant changes in the framework of article 120: “Transitional provisions” of Regulation (EU) 2017/745. This guide addresses changes according to the article 120 of the MDR. It's a decision tree in the same vein as FDA guidances on deciding when to submit a new 510k.
As a manufacturer, your mission, if you accept it, is to answer "No" for all your products CE marked with the MDD.
For hardware, be prepared to place your design in the freezer.
For software, be prepared to place your design in liquid nitrogen.
The guidance is on the page on white papers of GMED website.
Sunday 26 May 2019
By Mitch on Sunday 26 May 2019, 14:00 - Regulations
Today is the 26th of May 2019. Rings a bell? In one year exactly, your class I MD software will be living in borrowed time on the EU market.
Because of rule 11 of 2017/745/UE Medical Device Regulation (MDR).
Tuesday 26 March 2019
By Mitch on Tuesday 26 March 2019, 16:21 - Regulations
To be software as a medical device or not to be.
That is the question.
And you rely on Competent Authorities to determine whether software is a medical device or not.
For example, you have some practical examples on the ANSM website (google translate is my Friend): here is the lastest version.
And you wish you had a way to be noticed by the ANSM when the page changes. Hell no, no way.
Especially you wish you had been noticed when the ANSM change their mind on telesurveillance software: here is the previous version on archive.org if you want to compare with the latest.
Before: examples showing that communicating data, like tele follow-up is not a MD, with the invocation of expert function (found in MEDDEV 2.1/6 only for qualification of IVD, not MD) to exclude software without such function.
After: examples showing that tele surveillance is a MD (exit the expert function).
Arrgghh, This isn't Good Regulatory Practice.
Thursday 24 January 2019
By Mitch on Thursday 24 January 2019, 12:50 - Regulations
Monday 15 October 2018
By Mitch on Monday 15 October 2018, 14:58 - Templates
Hi there! Long time no see once again. I dig up our series of posts on cybersecurity.
In this post I publish two new templates for cybersecurity risk management.
Friday 6 July 2018
By Mitch on Friday 6 July 2018, 13:41 - Processes
Usability is a requirement, which has been present in regulations since a long time. It stems from the assessment of user error as a hazardous situation. It is supported by the publication AAMI HE75 standard, FDA guidances, and the publication of IEC 62366 in 2008 followed by IEC 62366-1:2015.
Although usability engineering is a requirement for the design of medical devices, most of people designing software are not familiar with this process. This article is an application of the process described in IEC 62366-1 to software design.
Wednesday 18 April 2018
By Mitch on Wednesday 18 April 2018, 15:18 - Templates
European Regulation 2016/679, aka GDPR, will be fully in force in May 2018. Everybody knowns that we have something to do to be compliant since it has been published. And everybody is getting awake only two months before the full application. So do I.
Friday 19 January 2018
By Mitch on Friday 19 January 2018, 14:15 - Regulations
Here is a quick follow-up of the new version of the FDA Guidance titled Medical Device Accessories – Describing Accessories and Classification Pathways, published in December 2017. This comes a bit in parallel to the Section 3060 guidance described in the previous post on the 21st Century Cures Act.
Friday 12 January 2018
By Mitch on Friday 12 January 2018, 15:00 - Regulations
Since the last blog post on US FDA guidance on software classification, things evolved quickly with the FDA. We know where they want to go with software as medical device, but not exactly how they will implement it.
Let's do a review of what has been done since the publication of the 21st Century Cures Act.
Sunday 7 January 2018
By Mitch on Sunday 7 January 2018, 16:52 - Misc
Happy New Year 2018!
Thanks for still visiting this blog, despite the spaced updates!
Wednesday 20 September 2017
By Mitch on Wednesday 20 September 2017, 17:48 - Standards
A reader of the post on IEC 62304 Amd1 2015 noticed in the comments that the sentence in section 4.3.a was removed:
If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.
Don't be too quick to scratch the 100 percent thing!
The dreadful 100 percent is still present in the informative Annex B.4.3.
Even if it is no more in the normative part, you shall continue to bear in mind this assumption when assessing software risks. The underlying concept is that it's not possible to assess probability of software failure, thus the worst case shall be considered.
This is the state-of-the-art, present in ISO 14971, in IEC 80002-1, in IEC 62304, and in the FDA Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.
100% probability is not dead!
By Mitch on Wednesday 20 September 2017, 14:18 - Standards
While the FDA continues to update periodically and reliably the list of recognized standards (last update in August 2017), the European Commission hasn't updated the list of harmonized standards since may 2016.
Monday 3 July 2017
By Mitch on Monday 3 July 2017, 14:06 - Regulations
We continue this series of posts on cybersecurity with some comments on impacts of cybersecurity on the software development documentation.
Tuesday 16 May 2017
By Mitch on Tuesday 16 May 2017, 22:34 - Misc
If you are a regular visitor of this blog, you noticed that almost three months elapsed between the last two articles on cybersecurity.
That's not what I planned.
The time dedicated to this blog was totally swallowed by the other facets of my job. Namely filling the gap between the current level of compliance of manufacturers, and the new expectations of notified bodies and regulatory authorities in the European Union. The bar has been raised!
It gives you a sense of what we're getting into with the new MDR.
By Mitch on Tuesday 16 May 2017, 21:53 - Standards
After a long pause, we continue this series about cybersecurity in medical devices with a discussion on AAMI TIR57:2016 Principles for medical device security — Risk management.
Saturday 6 May 2017
By Mitch on Saturday 6 May 2017, 10:59 - Regulations
The Medical Device Regulation and In-Vitro Device Regulation have been published the 5th May 2017!
See the Official Journal of the EU.
Friday 10 February 2017
By Mitch on Friday 10 February 2017, 14:20 - Regulations
By Mitch on Friday 10 February 2017, 14:19 - Regulations