Regulatory Aspects of Digital Healthcare Solutions

Size: px

Start display at page:

Download "Regulatory Aspects of Digital Healthcare Solutions"

Alexina Carpenter
6 years ago
Views:

1 Regulatory Aspects of Digital Healthcare Solutions TÜV SÜD Product Service GmbH Dr. Markus Siebert Rev. 02 / TÜV SÜD Product Service GmbH Slide 1

2 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 2

3 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 3

4 Digital solutions as Medical Device Software Classical devices Apps & Wearables Digital healthcare solutions TÜV SÜD Product Service GmbH Slide 4

5 Digital solutions as Medical Device Legal requirements Medical Devices Act MPG (Medizinproduktegesetz) Medical Devices Directive MDD 93/42/EEC (Medizingerätedirektive) Decrees, orders (Harmonized) standards Guidelines, recommendations TÜV SÜD Product Service GmbH Slide 5

6 Medical Devices Directive 93/42/EEC Definition: medical device (MDD, Article 1) any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of: diagnosis, prevention, monitoring, treatment or alleviation of disease, diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap, investigation, replacement or modification of the anatomy or of a physiological process, control of conception, and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means. TÜV SÜD Product Service GmbH Slide 6

7 Medical Devices Directive 93/42/EEC Essential requirements: (MDD, Annex I) 1. The devices must be designed and manufactured in such a way that, when used under the conditions and for the purposes intended, they will not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their intended use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. TÜV SÜD Product Service GmbH Slide 7

8 Medical Devices Directive 93/42/EEC Essential requirements: (MDD, Annex I) 2. The solutions adopted by the manufacturer for the design and construction of the devices must conform to safety principles, taking account of the generally acknowledged state of the art. In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order: eliminate or reduce risks as far as possible (inherently safe design and construction), where appropriate take adequate protection measures including alarms if necessary, in relation to risks that cannot be eliminated, inform users of the residual risks due to any shortcomings of the protection measures adopted. [ ] TÜV SÜD Product Service GmbH Slide 8

9 Medical Devices Directive 93/42/EEC Essential requirements: (MDD, Annex I) [ ] 6a Demonstration of conformity with the essential requirements must include a clinical evaluation in accordance with Annex X. [ ] 12.1a For devices which incorporate software or which are medical software in themselves, the software must be validated according to the state of the art taking into account the principles of development lifecycle, risk management, validation and verification. TÜV SÜD Product Service GmbH Slide 9

10 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 10

11 Classification of software General distinction between classes I, IIa, IIb und III From class I to III the risk potential increases In class I it can be additional distinguished between the variants class I sterile class I with measuring function Essential requirements are applicable for all classes For different classes different conformity assessment procedures are defined TÜV SÜD Product Service GmbH Slide 11

12 Classification of software 1. MDD Annex IX: Classification criteria 2. MEDDEV 2.4/1 (June 2010): Guidance document Classification of Medical Devices 3. MEDDEV 2.1/6 (July 2016): Guidance document Qualification and Classification of stand alone software 4. MANUAL ON BORDERLINE AND CLASSIFICATION IN THE COMMUNITY REGULATORY FRAMEWORK FOR MEDICAL DEVICES (Sept 2015): 9. Software and mobile applications TÜV SÜD Product Service GmbH Slide 12

13 Classification of software MDD, Annex IX: Classification criteria I. Definitions 1.4. Active medical device [ ] Stand alone software is considered to be an active medical device. II. Implementing rules 2.3. Software, which drives a device or influences the use of a device, falls automatically in the same class. III. Classification 3. Additional rules applicable to active devices rule 9 to rule 12 apply. TÜV SÜD Product Service GmbH Slide 13

14 Classification of software MEDDEV 2.4/1 (June 2010): Guidance Document Classification of Medical Devices TÜV SÜD Product Service GmbH Slide 14

15 Classification of software MEDDEV 2.1/6 (July 2016): Guidelines on the Qualification and Classification of Stand Alone Software used in Healthcare within the Regulatory Framework of Medical Devices 1. Definitions and abbreviations Stand alone software Expert function software 2. Qualification criteria as medical device Must have a medical purpose Intended purpose as described by the manufacturer Must fulfill the definition of a medical device [ ] Might run on different operating systems or in virtual environments Risk related to a malfunction of the stand alone software is not a criterion TÜV SÜD Product Service GmbH Slide 15

16 Classification of software MEDDEV 2.1/6 Figure 1: Decision diagram to assist qualification of software as medical device. TÜV SÜD Product Service GmbH Slide 16

17 Classification of software TÜV SÜD Product Service GmbH Slide 17

18 Classification of software TÜV SÜD Product Service GmbH Slide 18

19 Conformity assessment procedures To obtain CE marking for the device Conformity assessment procedure depends on classification Notified Body required for devices > class I Essential requirements are applicable for all classes For different classes different conformity assessment procedures are defined TÜV SÜD Product Service GmbH Slide 19

20 Conformity assessment procedures TÜV SÜD Product Service GmbH Slide 20

21 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 21

22 Relevant Standards Some Applicable Medical Device Standards to comply with the Essential Requirements of the MDD EN ISO Quality Management ISO Risk Management IEC Software Development Lifecycle IEC Health Software IEC Usability IEC Constructional / Electrical Safety IEC x Collateral Standards IEC xx Particular Standards IEC / Application of Risk Management for IT networks IEC x incorporating Medical Devices TÜV SÜD Product Service GmbH Slide 22

23 Relevant Standards Other legal Requirements GER: Bundesdatenschutzgesetz (BDSG) EU : Directive 95/46/EG on the protection of individuals with regard to the processing of personal data and on the free movement of such data USA: Health Insurance Portability and Accountability Act (HIPAA) FDA Guidances Mobile Medical Applications (2015) General Wellness: Policy for Low Risk Devices (2015) Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (2014) Off-The-Shelf Software Use in Medical Devices (1999) bsi PAS 277:2015 Health and wellness apps Quality criteria across the life cycle Code of practice TÜV SÜD Product Service GmbH Slide 23

24 IEC 62304: Software life cycle processes Scope and Purpose IEC defines Life Cycle requirements for MEDICAL DEVICE SOFTWARE PROCESSES, ACTIVITIES, and TASKS Field of application development and maintenance of MEDICAL DEVICE SOFTWARE software is itself a MEDICAL DEVICE software is an embedded or integral part of the final MEDICAL DEVICE Does not cover validation and final release. TÜV SÜD Product Service GmbH Slide 24

IEC 82304-1: Health software Health software Part 1: General

25 IEC : Health software Health software Part 1: General requirements for product safety TÜV SÜD Product Service GmbH Slide 25

IEC 82304-1: Health software HEALTH SOFTWARE application domains

26 IEC : Health software HEALTH SOFTWARE application domains and scope of related standards TÜV SÜD Product Service GmbH Slide 26

27 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 27

28 Data security Source: TÜV SÜD Product Service GmbH Slide 28

29 Data security Essential requirements: (MDD, Annex I) 1. The devices must be designed and manufactured in such a way that, when used under the conditions and for the purposes intended, they will not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their intended use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. TÜV SÜD Product Service GmbH Slide 29

30 Data security IT security requirements ISO 14971, clause 4.3 Identification of hazards: The manufacturer shall compile documentation on known and foreseeable hazards associated with the medical device in both normal and fault conditions IEC 62304, Edition 1.1, 2015, clause (Software requirements content) As appropriate to the MEDICAL DEVICE SOFTWARE, the MANUFACTURER shall include in the software requirements: e) SECURITY requirements NOTE 3 Examples include: system security/malware protection. j) requirements related to IT-network aspects (user documentation to be developed) TÜV SÜD Product Service GmbH Slide 30

31 Data security IT security requirements IEC : Health software (keyword SECURITY ) 1 Scope 1.1 Purpose This Part of applies to the SAFETY and SECURITY of HEALTH SOFTWARE PRODUCTS 4.1 General requirements and initial RISK ASSESSMENT 4.2 HEALTH SOFTWARE PRODUCT use requirements 4.5 System requirements 7.2 ACCOMPANYING DOCUMENTS 8.2 SOFTWARE MAINTENANCE 8.4 Post-market communication on the HEALTH SOFTWARE PRODUCT 8.5 Decommissioning and disposal of the HEALTH SOFTWARE PRODUCT TÜV SÜD Product Service GmbH Slide 31

32 Data security Fundamentals C-I-A: Confidentiality, Integrity, Availability of data D-R-R: Detection, Response, Recovery of IT security leaks Authentification, Authorization, Encryption TÜV SÜD Product Service GmbH Slide 32

33 Data security Security vs. Safety Safety Protecting an individual from the system Security Protecting the system from an individual Safety refers to the acceptable risk of a system Security refers to the protection of an object or data TÜV SÜD Product Service GmbH Slide 33

34 Data security Security vs. Safety Safety Based on static system assumptions regarding the environment Addresses random (hardware) and systematic failures (software & hardware) Failures are unintended Failure rates are available (e.g. experience based, MTTF, MFOT) Probabilities and resulting risks are quantifiable (Risk = Severity x Probability) Security Based on a dynamic system environment (a system seems secure today, but might be insecure by tomorrow) Attacks are intended Probabilities for attacks are not available and are difficult / impossible to calculate Threat probabilities and the resulting risks are not quantifiable, only qualifiable TÜV SÜD Product Service GmbH Slide 34

35 Contents Digital solutions as Medical Device Classification of software Relevant Standards Data security Preview software new MDR TÜV SÜD Product Service GmbH Slide 35

36 Preview software new MDR TÜV SÜD Product Service GmbH Slide 36

37 Preview software new MDR Article 2 Definitions For the purposes of this Regulation, the following definitions apply: (1) 'medical device' means any instrument, apparatus, appliance, software, implant, reagent, material or other article intended by the manufacturer to be used, alone or in combination, for human beings for one or more of the following specific medical purposes: diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of disease, diagnosis, monitoring, treatment, alleviation of, or compensation for, an injury or disability, investigation, replacement or modification of the anatomy or of a physiological or pathological process or state, providing information by means of in vitro examination of specimens derived from the human body, including organ, blood and tissue donations, and which does not achieve its principal intended action by pharmacological, immunological or metabolic means, in or on the human body, but which may be assisted in its function by such means. TÜV SÜD Product Service GmbH Slide 37

38 Preview software new MDR Article 2 Definitions For the purposes of this Regulation, the following definitions apply: (4) 'active device' means any device, the operation of which depends on a source of energy other than that generated by the human body for that purpose, or by gravity, and which acts by changing the density of or converting that energy. Devices intended to transmit energy, substances or other elements between an active device and the patient, without any significant change, shall not be deemed to be active devices. Software shall also be deemed to be an active device; TÜV SÜD Product Service GmbH Slide 38

39 Preview software new MDR ANNEX I GENERAL SAFETY AND PERFORMANCE REQUIREMENTS Chapter II Requirements regarding design and manufacture 14. Construction of devices and interaction with their environment Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible:.. (d) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts; TÜV SÜD Product Service GmbH Slide 39

40 Preview software new MDR ANNEX I GENERAL SAFETY AND PERFORMANCE REQUIREMENTS Chapter II Requirements regarding design and manufacture 17. Electronic programmable systems devices that incorporate electronic programmable systems and software that are devices in themselves Devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, shall be designed to ensure repeatability, reliability and performance in line with their intended use. In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation. TÜV SÜD Product Service GmbH Slide 40

41 Preview software new MDR ANNEX I GENERAL SAFETY AND PERFORMANCE REQUIREMENTS Chapter II Requirements regarding design and manufacture Software referred to in this Section that is intended to be used in combination with mobile computing platforms shall be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards level of light or noise) Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended. TÜV SÜD Product Service GmbH Slide 41

42 Preview software new MDR ANNEX I GENERAL SAFETY AND PERFORMANCE REQUIREMENTS Chapter III Requirements regarding the information supplied with the device Information in the instructions for use The instructions for use shall contain all of the following particulars: (ab) for devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended. TÜV SÜD Product Service GmbH Slide 42

43 Preview software new MDR ANNEX VIII CLASSIFICATION RULES Chapter II Implementing rules 3.3. Software, which drives a device or influences the use of a device, shall fall within the same class as the device. If the software is independent of any other device, it shall be classified in its own right. TÜV SÜD Product Service GmbH Slide 43

44 Preview software new MDR 6. ACTIVE DEVICES 6.3. Rule 11 ANNEX VIII CLASSIFICATION RULES Chapter III Classification rules Software intended to provide information which is used to take decisions with diagnosis or therapeutic purposes is classified as class IIa, except if such decisions have an impact that may cause: death or an irreversible deterioration of a person's state of health, in which case it is in class III; or a serious deterioration of a person's state of health or a surgical intervention, in which case it is classified as class IIb. Software intended to monitor physiological processes is classified as class IIa, except if it is intended for monitoring of vital physiological parameters, where the nature of variations of those parameters is such that it could result in immediate danger to the patient, in which case it is classified as class IIb. All other software are classified as class I. TÜV SÜD Product Service GmbH Slide 44

Med-Info. Council Directive 93/42/EEC on medical devices. TÜV SÜD Product Service GmbH

Med-Info. Council Directive 93/42/EEC on medical devices. TÜV SÜD Product Service GmbH Med-Info International expert information for the medical device industry Council Directive 93/42/E on medical devices Practice-oriented summary of the most important aspects and requirements contained