Medical Device Software: Complying with the MDR & FDA Regulations

PLEASE NOTE: Due to popular demand this event is now running as a 3-day event.

This course provides a comprehensive appraisal of the regulations and requirements that apply to medical device software worldwide. The seminar will be highly interactive, using real-life examples and state- of-the-art practices identified by Notified Bodies in Europe. There will be in-depth coverage on how to prepare compliant technical file documentation for medical device software products and a review of software specification, risk management, architectures, usability and resulting design documentation. In addition, there will be practical tips on how to streamline the development process, understand the regulatory requirements and how Notified Bodies review technical files.

There will be sessions on the practical implication of risk management and usability and an analysis of the differences between FDA guidance and MDR guidance on medical device software. Software recalls, the use of apps in medical devices, the implications of the new draft usability standard and advice on how to validate your system design will also be covered.

• Learn how to qualify and classify software in Europe and the rest of the world
• Get in-depth understanding of the interpretations of MDR Classification Rules 10, 11, 12, 13, 15 and 22
• Understand the implications of the MDR and US Code of Federal Regulations for software
• Gain regulatory guidance on mobile apps, software as a service, cloud computing, artificial intelligence and continuous learning software
• Learn how to write 510(K) and technical files
• Get a practical understanding of quality management, design control and how it applies to agile software development
• Hear the best practices on cyber security, risk management, usability andvalidation
• Learn the principles of clinical evaluations for software as a medical device
• Gain an insight into state-of-the-art standards applicable to software

• Senior management and project leaders
• Software product managers, researchers, developers and clinical experts
• Software development process managers
• IT managers and integrators
• Internal and external auditors and/or consultants
• Regulatory affairs professionals
• Quality system and quality assurance personnel
• Technical and medical writers
• GUI designers

Introduction to the regulations

Software qualification

• MD and IVD definitions
• Annex XVI products
• In-vitro diagnostic software
• Multi-functionality software
• Cloud computing and software as a service • Intended purpose
• Excluded functionality
• Borderline with lifestyle and fitness software
• Combination products
• Population health and educational software
• Resource and workflow management vs clinical decision support software
• Clinical decision software • Quiz

Software classification

• Implementing rules
• Classification rules
• IMDRF SaMD risk type determination • Case studies
• Quiz

General principles to bring medical device software to the EU market

• Bringing your device to the market
  • Go-to-market process – MD and IVD
  • Go-to-market process – combination products – In-house use by health institutions
  • Engage with a Notified Body
  • Implement a quality management system
  • Controlling your suppliers and subcontractors
  • UDI number
  • EUDAMED
  • Declaration of Conformity
  • Person Responsible for Regulatory Compliance
• Keeping your device on the market
  • Assuring the traceability of your product
  • Distributors, importers, authorised representatives and their liability
  • App stores and digital distribution platforms
  • Complaint handling system
  • Medical incident reporting
  • Monitoring critical components or platforms updates
  • Post-market surveillance requirements
  • Unannounced Notified Body audits
  • Service updates, upgrades and other changes
  • Quiz

Introduction to General Safety and Performance Requirements (GSPR)

• GSPR
• Harmonised standards • Common specifications • GSPR checklist

Interpretation of GSPR and their implications for software

• Reduce risk as far as possible
• State of the art
• Single fault condition
• IT environment and mobile platforms
• Diagnostic and measuring function
• Repeatability and reliability (e.g. of machine learning)
• Lifetime of a device
• Information on the manufacturer’s website • Instructions for use
• Label

Technical file

• Content
• Practical construction of a technical file

General principles to bring medical device software to the US market

• US Code of Federal Regulations and its implications for software
• 510(k) process
• FDA guidances specific to software

Practical construction of a 510(k)

Go-to-market strategy

• Regulations in the rest of the world (Brazil, Canada etc.)
• Market access and reimbursement of digital technology
• From health app to medical device software
• Considerations for software-hardware combinations
• Using the modular approach to your benefit
• Tools that allow customers to build their own devices: rules engines, programming and runtime environments,
  libraries for dataflow programming and machine learning
• When a customer becomes a manufacturer

Software development models

• Introduction
• Symptoms and root causes of poor design control • Waterfall vs agile, iterative and spiral
• Principles of good design control
• Stage-gated model

Design activities

• Project management
• Development planning
• Change management
• Requirements management
• Architecture and design
• Development
• Configuration management
• Verification and validation
• Defect management
• Design reviews

Software development standards

• EC 62304: Software life cycle management
• EC 82304-1: General requirements for product safety

Safety and essential performance of electrical medical equipment IEC 60601 and Appendix H

Security risk management

• Introduction: hacking an infusion pump
• Terminology
• Characteristics of security
• Security risk controls (a selection)
  • Organisational risk controls
  • Audit logs
  • Server and application hardening
  • Demilitarised zone architecture
  • Public key infrastructure
  • Passwords
  • Multi-factor authentication
  • Encryption
  • Virtual private networks (VPN)
  • Cloud-based data exchange
  • Mobile and voice exchange
  • User roles and privileges
  • Network monitoring and intrusion detection
  • Web service and web application protection
  • Remote network access and maintenance
• Information security management system
  • Assuring information integrity, security and privacy
    (ISO/IEC 27001)
  • Determining probability, threat, vulnerability and impact
  • Determining risk acceptability
  • Information sharing
  • MDS2 form
  • Security error messages
  • ISACs and ISAOs
  • Secure development life cycle (IEC 62443)
  • Example of a secure design process
  • Patching strategy
  • Preventing malware delivery and execution – Vulnerability scanning (pen testing)
• Legal requirements
  • MDR, NIS, GDPR and Cybersecurity Act – Security standards

IEC 80001: Application of risk management to IT-networks incorporating medical devices

Safety risk management

• Process and terminology
  • Terminology – Process
  • Roles
• Risk identification methodologies
  • Checklists
  • Grey box
  • Hazard and operability analysis (HAZOP) – Failure mode and effects analysis (FMEA) – Fault tree analysis (FTE)
• Risk control
  • Inherently safe design
  • Preventive measures
  • Corrective measures
  • Mitigations
  • Safety notices
  • Disclosures of residual risk – Risk control strategies
• Risk assessment and evaluation
  • IMDRF terminology
  • Determining severity and probability of harm
  • Determining if a risk is acceptable
  • Benefit-risk assessment
  • Deliverables
• Manufacturer accountability
  • Risk management throughout the product life cycle
  • Normal, abnormal and misuse
  • ESCs, SOUPs and COTS
  • Platform changes and failures
• Risk perception and communication

Usability of medical devices

• IEC 62366
• Formative and summative testing • Cognitive walk-throughs
• Heuristic evaluations
• User evaluations

Clinical evaluations of medical device software

• Definitions, purpose, deliverables
• Process and key characteristics
• Methodology
• Data sources
• Role of validation and usability
• Use of real-world evidence
• Considerations for artificial intelligence and continuous learning software

Practical construction of a clinical evaluation plan and report

Introduction to clinical investigations

• When is a clinical investigation needed for medical device software?
• Roles and responsibilities
• Selecting appropriate study design
• Regulatory and ethical considerations
• Diagnostic clinical performance studies
• Sustaining the quality of clinical studies
• Handling clinical data
• Analysis and reporting

Post-market surveillance (PMS)

• Post-market regulatory requirements
• Components of an effective PMS
• Process interface with CAPA, NC, vigilance, service, periodic safety updates, trend reporting
• Implementation of PMS
• Post-market clinical follow-up

Process interfaces

• Successfully bringing together risk management, clinical evaluation and post-market surveillance to streamline ways of working