Digital technology permeates nearly every sector of health care delivery. The inclusion of software in medical device development means medical devices are becoming more complex.
The benefits of innovative technology are exponential. However, given the complexity of technology in devices, manufacturers will need to revamp their design and development strategies. This includes devoting more time and effort to design control, risk management and cybersecurity.
According to the U.S. Food and Drug Administration’s (FDA) “Design Control Guidance for Medical Device Manufacturers,” design control of a medical device begins with the development and approval of design inputs along with the associated manufacturing processes.
Design approval is more challenging with software-based medical devices because there is a higher risk of defects or functionality discrepancies surfacing later in the production process. To stay on track with initial design requirements, design control needs to involve defensible verification and validation (V&V) of R&D data. For example, companies may be required to provide documented evidence that a requirement for a specific intended use can be consistently fulfilled.
A key concept of software verification and validation is “intended use.” Software is intangible, so it’s common for the functionality to include capabilities beyond the core device requirements. Verification of software applies to the development process, which ensures that the software is built correctly based on the device’s requirements. Validation of software refers to how the software enables the device to meet the specific needs of the users and patients. Companies achieve this through the collaborative efforts of customer focus groups, health care providers, clinicians and industry subject matter experts.
There is a growing number of medical devices that are purely software. These devices are categorized as software as a medical device (SaMD), which includes mobile apps that perform health care-related functions. According to data from the U.S. Food and Drug Administration (FDA), 24 percent of all medical device recalls are due to software failures. This means risk management must be integral from the design stage throughout the device’s postmarket lifecycle.
The international standard IEC 62304 provides a framework for how risk management must be applied and documented in medical device software development at its appropriate level of concern (LOC). The IEC 62304 standard, in concert with ISO 14971, follows the philosophy that safe medical device software requires a combination of detailed risk management, good software engineering practices and effective quality management.
Following IEC 62304 makes development more stringent because of the human safety factor. Development cycles for regulated products need to be fully documented and traceable. This means the development processes, activities and tasks defined in the standard must be thoroughly mapped and accessible.
Digitization and the Internet of Everything (IoE) continues to become more prevalent in medical device manufacturing, and the industry is far from reaching its full potential with technology. Factor in the increasing number of network-connected medical devices and the attack surface just keeps getting wider. Ensuring the privacy and security of medical device data and functionality will always be challenging.
Cybersecurity concerns can pop up anytime and anywhere in a device's lifecycle. This means security risks must be assessed and mitigated before a product goes into production. Otherwise, the device has a higher likelihood of experiencing a costly postmarket recall or security breach.
The “Postmarket Management of Cybersecurity in Medical Devices” guidance states, “To manage postmarket cybersecurity risks for medical devices, a company should have a structured and systematic approach to risk management and a quality management system consistent with 21 CFR part 820.20.” Your cybersecurity efforts should emphasize identifying and addressing vulnerabilities that may permit unauthorized access, functionality modification, misuse or denial-of-use intrusions.
Innovation in medical devices promises new opportunities for medical treatment. It also issues a challenge to device manufacturers to be willing to adopt new approaches to design and development. The current emphasis of software in medical devices is more granular oversight with software development to better ensure tighter control with risk management and cybersecurity.