Peter Linders

advertisement
Interna<onal overview on risk classifica<on of SaMD Introduc<on of IEC 62304 and IEC 82304-­‐1 Dr. Peter Linders DITTA Standardiza.on Working Group Chair With the help of Frans Jacobs and Daniel Chen DITTA Workshop on Medical So:ware Brasília, 7 March 2016 ABOUT PETER LINDERS … • 
• 
• 
• 
• 
• 
• 
• 
Over 25 years involvement in IEC and ISO Involved in regulatory affairs since 1998 Chair of CENELEC TC 62, and ABHS COCIR Board member & chair of TRAC DITTA member Board of Directors Co-­‐project leader of future IEC 82304-­‐1 Member in AHWP TC WG1 for soYware Chair of ISO TC 210 T: +31 6 5182 6428 E: peter.linders@philips.com AGENDA Ø  Interna<onal Risk Classifica<on Ø  Introduc<on of IEC 62304 and IEC 82304-­‐1 Ø  But first … qualifica<on First: qualificaaon, or when is soYware an SaMD? (SOURCE IMDRF) Medical purpose (as defined in GHTF/SG/N71: 2012) •  diagnosis, preven.on, monitoring, treatment or allevia.on of disease, •  diagnosis, monitoring, treatment, allevia.on of or compensa.on for an injury, •  inves.ga.on, replacement, modifica.on, or support of the anatomy or of a physiological process, •  suppor.ng or sustaining life, •  control of concep.on, •  etcetera…………. SaMD defini<on: SoYware intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device First: qualificaaon, or when is soYware an SaMD? (SOURCE IMDRF) SaMD defini<on: SoYware intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device SaMD adds to medical purposes: •  provide means and suggesaons for miagaaon of a disease •  provide informaaon for determining compaability, detecang, diagnosing, monitoring or treaang physiological condiaons, states of health, illnesses or congenital deformiaes •  be an aid to diagnosis, screening, monitoring, determinaaon of predisposiaon; prognosis, predicaon, determinaaon of physiological status First: qualificaaon, or when is soYware an SaMD? Now look at this fancy gear … Medical devices? What about their soYware? First: qualificaaon, or when is soYware an SaMD? And what about this ? Remember: prevenaon is in the definiaon … Medical devices? What about soYware in fitness equipment? So, what is SaMD? “SoYware intended to be used for one or more medical purposes that perform these purposes without being part of a medical device” (Source: IMDRF 2013) “SoYware which is not incorporated in a medical device at the ame of its placing on the market or its making available” (source: European MEDDEV 2.1/6 2012) “SoYware intended to run on general purpose computers” (source: FDA Murray 2010)) “SoYware that is intended for use as a MEDICAL DEVICE” NOTE This includes a MEDICAL DEVICE soYware product, which then is a MEDICAL DEVICE in its own right. (source: IEC 62304 Ed.1.1 2015) INTERNATIONAL RISK CLASSIFICATION “STANDALONE SOFTWARE” Classificaaon Risk Based; FDA 2005, FDA defines a Major, Moderate or Minor “Level of Concern” An esamate of the severity of injury that a device could permit or inflict, either directly or indirectly, on a paaent or operator as a result of device failures, design flaws, or simply by virtue of employing the device for its intended use. • 
Major –  if a failure or latent flaw could directly result in death or serious injury to the paaent or operator –  if a failure or latent flaw could indirectly result in death or serious injury of the paaent or operator through incorrect or delayed informaaon or through the acaon of a care provider. • 
Moderate –  if a failure or latent design flaw could directly result in minor injury to the paaent or operator. –  if a failure or latent flaw could indirectly result in minor injury to the paaent or operator through incorrect or delayed informaaon or through the acaon of a care provider. • 
Minor –  if failures or latent design flaws are unlikely to cause any injury to the paaent or operator. (Source: FDA Guidance 337 2005) “STANDALONE SOFTWARE” Classificaaon Risk Based; EU MDD 2007, EU Medical Device Direc<ve 93/42/EEC introduces So:ware 2012, MEDDEV 2.1/6 provides guidance Stand alone soYware that meets the definiaon of a medical device shall be considered as an ac<ve medical device. This means that rules 9, 10, 11 and 12 of Annex IX to Direcave 93/42/EEC may apply. Active device type
Rule
Rule 9
Active therapeutic devices are in IIa or IIb
Active diagnostic devices are in IIa or IIb and, Active devices intended to emit
Rule 10
ionizing radiation and intended for diagnostic and therapeutic interventional
radiology are in IIb
Rule 11
Active devices intended to administer and/or remove medicines are in IIa or IIb
All other active devices are in Class I
Rule 12
But … almost all SaMD ends up in class I (source: MEDDEV 2.1/6 2012) “STANDALONE SOFTWARE” Classificaaon Risk Based; IMDRF IMDRF defines principles for “Categoriza<on” in 4 levels (I, II, III, IV) The four categories (I, II, III, IV) are based on the levels of impact on the paaent or public health where accurate informaaon provided by the SaMD to treat or diagnose, drive or inform clinical management is vital to avoid death, long-­‐term disability or other serious deterioraaon of health, miagaang public health. Significance of information provided by SaMD to healthcare
decision
State of Healthcare situation
or condition
Treat or diagnose
Drive clinical
management
Inform clinical
management
Critical
IV
III
II
Serious
III
II
I
Non-serious
II
I
I
(Source: IMDRF 2013) “STANDALONE SOFTWARE” SaMD Landscape/Scope Very
High Catastrophic
None Low Medium High
Impact
Classificaaon Risk Based; IMDRF Not
SaMD
Not SaMD
Type
I
Retrieves
information
Optimizes
Process
Organizes
Data
Type
I
Informs
serious
Decisions
Informs nonserious
Decision
Type
II
Type
I
Type
II
Informs
critical
Decisions
Drives nonserious
Decisions
Functionality
Type
III
Type
II
Treat/
Diagnoses
non serious
Drives
serious
Decisions
Type
IV
Type
III
Treat/
Diagnoses
serious
Drives
critical
Decisions
(Part of
MD /
Embedded
in MD)
Closed Loop
Interventions
No Clinical
Intermediary
Treats/
diagnoses
critical
“STANDALONE SOFTWARE” Classificaaon Risk Based, IEC 62304 Ed 1.0 2006, IEC 62304 Ed. 1.0 defines So:ware Safety Classes A, B and C The MANUFACTURER shall assign to each SOFTWARE SYSTEM a soYware safety class (A, B, or C) according to the possible effects on the paaent, operator, or other people resulang from a HAZARD to which the SOFTWARE SYSTEM can contribute. The soYware safety classes shall iniaally be assigned based on severity as follows: •  Class A: No injury or damage to health is possible •  Class B: Non-­‐SERIOUS INJURY is possible •  Class C: Death or SERIOUS INJURY is possible Class can be reduced form C to B or B to A by a hardware risk control measure (source: IEC 62304 Ed. 1.0 2006) “STANDALONE SOFTWARE” Classificaaon Risk Based; IEC 62304 Ed 1.1 2015, IEC 62304 Ed. 1.1 introduces RISK of HARM and a flowchart approach The MANUFACTURER shall assign to each SOFTWARE SYSTEM a soYware safety class (A, B, or C) according to the RISK of HARM to the paaent, operator, or other people resulang from a HAZARDOUS SITUATION to which the SOFTWARE SYSTEM can contribute in a worst-­‐
case scenario (source: IEC 62304 Ed.1.1 2015) For B and C classified systems, classifica.on can be reduced by applying risk control measures external to the so3ware system So, it does not have to be a hardware mi9ga9on “STANDALONE SOFTWARE” Classificaaon Risk Based General overview of IMDRF, FDA, EU and IEC 62304 State of
Healthcare
situation or
condition
Significance of information provided by
SaMD to healthcare decision
Classification
Treat or
diagnose
Drive clinical
management
Inform clinical
management
FDA
EU*
IEC
62304
Critical
IV
III
II
Major
IIb
Class C
Serious
III
II
I
Major
IIa
Class C
Non-serious
II
I
I
Moderate
I-IIa
Class B
No risk
?
?
?
Minor
I
Class A
* On the basis of classification rules 9-12; effectively almost all SaMD end up in class I
“STANDALONE SOFTWARE” Classificaaon Risk Based Conclusions •  IMDRF classificaaon is missing “zero-­‐risk” class •  Some effort sall needed to achieve coherence in regulatory classificaaon of SaMD •  Unal then: complicated standards development Introduc<on of IEC 62304 and IEC 82304-­‐1 IEC 62304 & IEC 82304-­‐1 IEC 62304: This standard defines the life cycle requirements for MEDICAL DEVICE SOFTWARE. The set of PROCESSES, ACTIVITIES, and TASKS described in this standard establishes a common framework for MEDICAL DEVICE SOFTWARE life cycle PROCESSES. IEC 82304-­‐1: This Internaaonal Standard applies to the SAFETY of HEALTH SOFTWARE PRODUCTS designed to operate on general compuang platorms and intended to be placed on the market without dedicated hardware, and its primary focus is on the requirements for MANUFACTURERS. IEC 62304 -­‐ IEC 82304-­‐1
Figure$A.1$Health$soPware$applicaJon$domains$and$scope$of$related$standards$
Scope$of$$
IEC$62304$
For$specific$$
hardware$
For$general$
compuJng$
plaTorm$
SoPware$as$
part$of$a$
medical$$
device$
SoPware;
only$
medical$
device$
SoPware$as$
part$of$
specific$
health$
hardware$
SoPware;only$
product$for$
other$$
health$use$
Health$$
soPware$
Scope$of$$
IEC$82304;1$
!
Medical$device$use$$
Other$health$use$$
2
Figure$A.1$Health$soPware$applicaJon$domains$and$scope$of$related$standards$
Scope$of$$
Health$$
IEC 62304 -­‐ IEC 82304-­‐1 (SOURCE IEC 82304-­‐1 – DRAFT FDIS) So, what is health so:ware? IEC 82304-­‐1 defini<on: HEALTH SOFTWARE soYware intended to be used specifically for managing, maintaining or improving health of individual persons, or the delivery of care Now this calls for a definiaon of “health” … IEC 62304 -­‐ IEC 82304-­‐1 (SOURCE IEC 82304-­‐1 – DRAFT FDIS) So, then what is health? Previous IEC 82304-­‐1 defini<on: HEALTH state of complete physical, mental and social well-­‐being and not merely the absence of disease or infirmity [SOURCE: WHO definiaon (WHO 1946)] Removed from the document because too broad a defini.on IEC 82304-­‐1 & IEC 62304 Health Software
software intended to be used specifically
for managing or improving health of
individual persons, or the delivery of care
Health Software
fully incorporates
Medical Software
without a clear
dividing line.
Medical Software
no single definition for all jurisdiction
No clear boundary
CONCEPT EXPANDED MEDICAL SOFTWARE à HEALTH SOFTWARE IEC 62304 -­‐ IEC 82304-­‐1 (SOURCE IEC 82304-­‐1 – DRAFT FDIS) Two other key defini<ons: HARM injury or damage to the HEALTH of people, or damage to property or the environment [SOURCE: ISO/IEC Guide 51:2014, 3.1] HAZARD potenaal source of HARM Note 1 to entry: Potenaal sources of HARM include breach of SECURITY and reducaon of effecaveness. [SOURCE: ISO/IEC Guide 51:2014, 3.2, modified — Note 1 to entry has been added.] IEC 82304-­‐1 & IEC 62304 (SOURCE IEC 82304-­‐1 – DRAFT FDIS) Figure$A.3$;$IEC$82304;1:$HEALTH$SOFTWARE$PRODUCT$processes$;$schemaJc$
USER$needs$
USER$needs$met$
Establish$INTENDED$USE;$
perform$iniJal$RISK$ASSESSMENT$
Post;market$
communicaJon$
Create$VALIDATION$report$
Decide$on$
SOFTWARE$
Establish$use$
requirements$$
Validate$HEALTH$
SOFTWARE$PRODUCT*$
Establish$
VALIDATION$plan$
Establish$system$requirements$
MAINTENANCE$
and/or$other$
post;market$
acJviJes$
Finalize$ACCOMPANYING$
DOCUMENTS$
Develop$and$release$verified$HEALTH$SOFTWARE$
Maintain$$
HEALTH$SOFTWARE$
SoPware$life$cycle$processes$as$detailed$in$IEC$62304$
*$HEALTH$SOFTWARE$PRODUCT:$HEALTH$SOFTWARE$plus$ACCOMPANYING$DOCUMENTS$
3
Figure$A.2$;$IEC$82304;1:$HEALTH$SOFTWARE$PRODUCT$processes$;$schemaJc$
USER$needs$
USER$needs$met$
Post;market$
communicaJon$
IEC 62304 -­‐ IEC 82304-­‐1 (SOURCE IEC 82304-­‐1 – DRAFT FDIS) Conclusions •  Health so:ware includes medical SW yet it is broader •  IEC 82304-­‐1 includes the medical SW grey zone (but …) •  IEC 82304-­‐1 does NOT replace IEC 62304, rather uses it as a “plug-­‐in standard”, like IEC 60601-­‐1 does •  IEC 82304-­‐1 does recognize security issues as hazards •  No coverage for specific hardware for “other health use” •  Should scope for IEC 60601-­‐1 change? •  No other parts in IEC 82304-­‐series scheduled yet •  Thoughts: TRs on valida.on and on security IEC 62304 -­‐ IEC 82304-­‐1 Note that IEC 62304 is currently in revision: •  Scope broadening, to match with IEC 82304-­‐1 •  Revised classifica<on scheme ? •  Risk management issue •  Cyber security Schedule somewhat unclear, because … IEC 62304 -­‐ IEC 82304-­‐1 ISO/TC 215 is elabora<ng a framework for health so:ware Some level of conten<ousness Planning is unclear May have impact on future of IEC 82304-­‐1 and IEC 62304 Ed.2 and IEC 80001-­‐series IEC 62304 -­‐ IEC 82304-­‐1 ISO/TC 215 is elabora<ng a framework for health so:ware Some level of conten<ousness Planning is unclear May have impact on future of IEC 82304-­‐1 and IEC 62304 Ed.2 and IEC 80001-­‐series IEC 80001-­‐SERIES (OVERVIEW) IEC 80001-1:2010 Application of risk management for IT-networks
incorporating medical devices – Part 1: Roles, responsibilities and
activities
•  Part 2-1: Step by Step Risk Management of Medical IT-Networks; Practical
Applications and Examples
•  Part 2-2: Guidance for the communication of medical device security needs,
risks and controls
•  Part 2-3: Guidance for wireless networks
•  Part 2-4: General implementation guidance for Healthcare Delivery
Organizations
•  Part 2-5: Guidance for distributed alarm systems
•  Part 2-6: Guidance for responsibility agreements
•  Part 2-7: Guidance for Healthcare Delivery Organizations (HDOs) on how to
self-assess their conformance with IEC 80001-1
•  Part 2-8: Guidance on standards for establishing the security capabilities
identified in IEC 80001-2-2 [DTR]
•  Part 2-9: Guidance for use of security assurance cases to demonstrate
confidence in IEC/TR 80001-2-2 security capabilities [NP]
OBRIGADO!
THANK YOU! 
Download