In the last decade we have seen a growth in software-embedded medical devices. This, combined with a powerful off-the-shelf (OTS) software industry exploding around the world has forced regulatory bodies to re-think how to accommodate safety and risk requirements.
Cloud computing is both cost-effective and flexible, allowing for the quick scaling of computing resources and the provision of new services based on real-time demand. In many areas of industry, cloud computing has turned capital expenditures into operational expenditures, while increasing availability and cybersecurity. Moreover, companies delivering software in a SaaS model over the cloud also enjoy quick development and deployment cycles thanks to the advancement of Continuous Integration and Delivery techniques (CI/CD).
Within the SaaS industry, a PaaS industry of Off-the-shelf Platform software infrastructures has also evolved as a service that allows for the accelerated building of end-user-facing SaaS.
In the medical device arena, cloud computing allows for many beneficial applications, such as remote patient monitoring, data collection for medical research, as well as an emerging medical device architecture, where a significant proportion of the device functionality is executed on the cloud, rather than on the edge hardware. At BioT, we call this architecture a ‘distributed medical device.’
The benefits of the ‘distributed medical device’ architecture are great. It enables manufacturers to reduce the cost of the edge hardware by limiting the need for a strong CPU and memory. Manufacturers are able to introduce new capabilities more quickly, without the complexity related to firmware updates. Finally, it makes the device less exposed to cyber and privacy risks, because the IP (and in some cases, meaningful data) is not on the edge hardware anymore. With the option for slimmer, more affordable devices that can easily scale to the homes of patients, it seems evident that this is the future of medical devices.
Building a cloud-based medical device from scratch is an enormous and risky effort. Therefore, it makes perfect sense to utilize relevant OTS SaaS (we pronounce “OTSaaS” 😊) available, which can reduce the effort and risk to build by up to 95%. However, with OTSaaS new quality-oriented challenges rise.
In general, the FDA quality regulation requires that verification and validation (V&V) should take place whenever maintenance changes and new capabilities are introduced to a product baseline. This is to validate that the design structure and system logic are not negatively impacted anywhere in the device or in a way that increases patient risk or lowers efficacy.
The “validated state” as dictated by the FDA (and presented very nicely by our friends at Orthogonal), is proof that the medical software and quality systems are working as intended, and as affirmed by the previously accepted regulatory filings and the FDA’s quality management systems standards. This concept is the cornerstone of safe medical devices including Software as a Medical Device (SaMD), Digital Therapeutics (DTx), and connected medical device systems development. Without trust in the validation of the device software, there can be no trust in the ability of MedTech to improve health outcomes.
V&V processes must be consistently documented. When applied to a traditional hardware-based medical device, this is relatively straightforward as manufacturers have full control over each and every element of the software and computational environment.
With a cloud-based environment, the V&V process is much more challenging because the cloud is essentially a special form of OTSaaS. One challenge of OTSaaS is that not only does the device manufacturer lack full control over it, but the OTSaaS provider (e.g. cloud vendor) can regularly make updates to their technology stack, without prior notice – and without advanced customer approval.
The medical device manufacturer’s challenge is how to validate the software and maintain FDA validation without knowing when and what updates are being done by the cloud service provider. As with many other aspects of cloud computing, companies using the cloud weigh the tradeoff of having less control over their computing environment with the incredible economies of scale of public cloud vendors.
The Association for the Advancement of Medical Instrumentation (AAMI) is an organization formed to set safety standards in both the design and usage of innovative medical devices. For cloud computing, the AAMI has a designated task group to focus on the issue of the appropriate use of public cloud computing for quality systems and medical devices.
Recently, this task group concluded that given the circumstances of cloud-based software, a continuously validated state cannot be achieved when using the cloud. In lieu of a continuously validated state, the task group considers the alternative: to achieve an intermittently validated state where the validation is periodically examined and re-confirmed.
The types of validation that a medical device manufacturer needs to perform and the frequency with which these validations need to be conducted depends on the level of risk associated with the use of the cloud service for a particular device. Until a concrete standard or TIR (technical information report) is published on the subject, AAMI’s task force recommends that manufacturers take a risk-based approach to validation.
This requires manufacturers to ask themselves several questions:
The risk-based approach can be summed up as, ‘determining how a manufacturer can increase the chance of detecting a change and minimize the time taken to resolve it.’
The AAMI task force suggests that the following actions will help manufacturers to lower risk and meet the challenge of V&V:
For further reading about current action items, AAMI CR510:2021 provides the full details.
Clearly, a permanent solution is needed for the cloud change control challenge.
AAMI’s TIR 115 Working Group SM-WG10 was created by Randy Horton from Orthogonal and Pat Baird from Philips to address these issues. Bringing together a broad spectrum of stakeholders in the medical device and cloud ecosystem, this working group includes representatives from prominent cloud vendors, medical device companies, and the FDA, as well as innovative startups and platform vendors.
BioT is honored to be among the contributors to TIR 115, bringing the voice of platform vendors to the table. On one hand, as a PaaS (Platform as a Service), BioT is a user of cloud services, requiring BioT to maintain control measures to mitigate cloud vendor changes. On the other hand, as a PaaS provider, BioT is also required to provide such measures to the medical device companies we serve. This allows BioT a balanced perspective on the issues involved.
We invite anyone interested in cloud change control to be in touch and consider joining the AAMI TIR working group. Working together, we can shape industry standards, thereby improving patient outcomes, for years to come.
Interesting in Contributing to AAMI TIR 115? Contact Us