Software in Medical Devices, by MD101 Consulting

We've seen in the previous article the revolution in the regulatory classification brought by the new rule 10a for standalone software.
Let's see now the other changes. These changes are relevant for all software: standalone, embedded, device or accessory.
They're not as big as the new rule 10a, but they will deserve a significant amount of man-hours and documentation.

A new version of the MEDDEV 2.1/6 was published in July 2016.

The first version of 2012 was a major breakthrough. The new version won't change you life. Almost nothing new, excepted a few definitions on software, input data, output data, a remarkable reference to IMDRF definitions, and a non-significant update of the first decision tree.

Add to that a few typos, and you have the new version of the MEDDEV:

• "lossless compression" disappeared from the decision tree (was it intentional?) but is still present in the explanations of decision step 3,
• Decision step 7 doesn't have any explanation.

MEDDEV for nothing ♫ and tips for free ♬.

Warning: obsolete content. Please read: Is my software in class I, IIa, IIb or III.
Last update on 2016/07/31.

The British Standard Institute published in February 2016 a white paper titled How to prepare for and implement the upcoming MDR – Dos and don’ts. Register on BSI website to download the paper.
This white paper gives top-notch recommendations on the way to compliance with the future EU Medical Device Regulation (MDR), based on the draft version. But their interpretation of MDR classification rules on standalone software are somewhat surprising.

The FDA released one week ago a new draft guidance on Postmarket Management of Cybersecurity in Medical Devices.
This guidance is the sister of the guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices released in 2014. Both guidances address cybersecurity at different steps of software lifecycle: the 2014 guidance is about cybersecurity during design and development, the 2016 draft guidance is about cybersecurity during post-market surveillance.

We continue this series on validation of software used in production and QMS with the Validation Master Plan (VMP).
Better than endless explanations, I added a Validation Master Plan template to my templates repository page.

If you watch from time to time the new guidances released by the FDA, you probably noticed that two guidances about software were released in january and february 2015.

At last! The FDA has published last October a guidance about cybersecurity that matters!
Not that the guidance previously published about Off-the-shelf software cybersecurity wasn’t worth reading it (Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software), but its scope was more than reduced.

We continue this series about DHF, DMR and DHR, with the Device Master Record.

The FDA released on june 20th 2014 a new draft guidance about:

• Medical Devices Data Systems (MDDS) subject to 21 CFR 880.6310,
• Medical image storage devices subject to 21 CFR 892.2010, and
• Medical image communications devices subject to 21 CFR 892.2020.

Link to FDA MDDS draft guidance: EDIT - draft guidance superseded by final guidance, see this post