Software and Cybersecurity Risk Management
Software and Cybersecurity Risk Management is different from Risk Management for purely mechanical devices, usability risk management and process risk management.
The basic principles of hazard analysis and severity analysis remain similar. However, while traditional risk management methods concentrate on estimating the probability of occurrence of failure modes, the focus of Software and Cybersecurity Risk Management should be on achieving appropriate safety and security levels with corresponding independent mitigations and lines of defense.
Computer System Validation
Computer System Validations (CSV) to comply with ISO 13485 Sections 4.1.6, 7.5.6 and 7.6, 21 CFR Part 820.70, 820.75 and 21 CFR Part 11 are frequent inspection issues. Manufacturers shall validate computer systems used in production and service provision, used for monitoring and measurement of requirements and used in the quality management system. For Artificial Intelligent (AI) Medical Devices or In Vitro Diagnostic Devices, CSV is for example mandatory for development tools, algorithm training tools and tools to collect data. For IT-Systems, CSV includes all aspects of Cybersecurity. QUAREGIA has developed standard procedures and templates, e.g. according to GAMP5, which can be used out of the box or tailored to your needs, in order to comply with corresponding Pharma, Medical Device and In Vitro Diagnostic Device regulations, standards and guidelines.
Artificial Intelligence used in Medical Devices - submission/certification strategies. Regulating AI in medical devices has just started and is not yet cut in stone. However, if you use common sense on what needs to be investigated, defined and tested over time, in order to design, develop and maintain a trustworthy AI algorithm, you will be ready to submit/certify and you are in the good position, once the requirements from regulations are clear.
Besides applying already established standards and guidelines such as ISO 13485, IEC 62304, ISO 14971, IEC 62366, GAMP5, etc.
Define acceptance criteria for false positive/false negative (risk based)
Declare the chosen AI methods, provide a rationale why they are suitable to reach the intended results
Raise a suitable data set to train the algorithm, provide a rationale for the chosen data set, why is it representative and suitable
Verify against your defined requirements and design (unit, integration, system, performance)
Validate against the gold standard and provide a rationale for the chosen gold standard
Computer system validation of used tools (tools for development, algorithm training, data collection, etc.)
List anticipated changes/improvements/performance tests of the algorithms and the results over time
Cybersecurity for connected Medical Devices, Mobile Medical Applications and connected In Vitro Diagnostic Devices is a continuing end to end lifecycle process. Meaning it all starts with Cybersecurity planning in the development phase and ends with retirement of the last device in the market. Like a safety concept, also a thorough Cybersecurity concept is indispensable for such devices. Cybersecurity #RiskManagement supports the entire end to end process whereas risk control measures must be in alignment with usability engineering principles. During development, Cybersecurity requirements must be defined, secure design principles and coding guidelines must be considered and Cybersecurity musy be tested after implementation. After launching the devices, post market Cybersecurity activities must be conducted in order to continuously monitor, assess and control threats, exploits and vulnerabilities, and thus beeing reasonable secure from Cybersecurity misuse and intrusion to provide a reasonable level of confidentiality, integrity and availability. Mathias T. Eng, Founder & CEO at QUAREGIA, draws on more than 17 years of experience with Medical Device Software safety and security. QUAREGIA can support you during the entire end to end Cybersecurity lifecycle process of your devices.
Internet of Medical Things, IoMT
Legal manufacturers of connected medical device systems should be able to monitor and control each and every device in the market, collect and analyze data and at the same time fulfill data protection regulations of corresponding countries. Telemetry data, data channeling, security anchors, security tokens, end to end encryption and the possibility of offline use - the system architecture of our secure framework is state of the art, it builds on design principles of most recent payment systems, re-used to build safe and secure solutions for connected medical device systems.
Safety Assurance Cases
FDA recognizes AAMI’s TIR38 standard for Safety Assurance Cases. AAMI’s TIR38 serves as a reference to guide the development of assurance cases. The standard provides a high-level framework for creating safety assurance cases for Medical Devices and Combination Products (e.g. Drug Delivery Devices).
The examples in TIR38 are in line with the premarket requirements that FDA set on in the Infusion Pumps Total Product Life Cycle Guidance from 2014.
Get ready for submissions and inspections! QUAREGIA has profound expertise and proven track records in developing Safety-, Software Safety- and Security Assurance Cases for Drug Delivery Devices.