Software in Medical Devices, by MD101 Consulting

The IMDFR organization published in January 2024 a new document on Medical Device Software: Considerations for Device and Risk Characterization
Say briefly, this document is a gem!

The FDA issued in April a new draft guidance on Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. This guidance will supersede the guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices of 2014, when it is finalized. There’s no word about the draft guidance of 2018. We can suppose that one is obsolete.

The FDA published in July the final version of the Guidance on Multiple Function Device Products. Despite the absence of the word "software" in the title, it addresses at first software medical devices. It also addresses hardware devices, but we will focus on software in this post.

The US FDA published in October 2018 a new draft version of its guidance on the content of premarket submissions for management of cybersecurity in medical devices. Two months later, Health Canada published in December 2018 a draft guidance document on pre-market requirements for medical device cybersecurity.

Since the last blog post on US FDA guidance on software classification, things evolved quickly with the FDA. We know where they want to go with software as medical device, but not exactly how they will implement it.
Let's do a review of what has been done since the publication of the 21st Century Cures Act.

This article is a follow-up of the previous article on the Draft guidance on Postmarket Management of Cybersecurity in Medical Devices.

The FDA released a guidance on clinical evaluation of standalone software medical device (a.k.a SAMD) in October 2016. This guidance is the same text and has the same presentation as the International Medical Device Regulatory Forum (IMDRF) guidance on SAMD clinical evaluation published in August 2016.

A new version of the MEDDEV 2.1/6 was published in July 2016.

The first version of 2012 was a major breakthrough. The new version won't change you life. Almost nothing new, excepted a few definitions on software, input data, output data, a remarkable reference to IMDRF definitions, and a non-significant update of the first decision tree.

Add to that a few typos, and you have the new version of the MEDDEV:

• "lossless compression" disappeared from the decision tree (was it intentional?) but is still present in the explanations of decision step 3,
• Decision step 7 doesn't have any explanation.

MEDDEV for nothing ♫ and tips for free ♬.

The FDA released one week ago a new draft guidance on Postmarket Management of Cybersecurity in Medical Devices.
This guidance is the sister of the guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices released in 2014. Both guidances address cybersecurity at different steps of software lifecycle: the 2014 guidance is about cybersecurity during design and development, the 2016 draft guidance is about cybersecurity during post-market surveillance.

When should a manufacturer report devices changes or QMS changes to notified bodies, according to the 93/42/CE directive?
There hasn't been clear criteria, until the Notified Bodies Operating Group (NBOG) published the Best Practice Guide 2014-3 : Guidance for manufacturers and Notified Bodies on reporting of Design Changes and Changes of the Quality System.