Medical device development is increasingly reliant on software to enhance the functionality, operation, maintenance or user-friendliness of medical products, eventually making it easier and safer for patients and doctors to use them.
However, this also adds complexity to the development of these safety-critical products. In the context of medical device development, software complexity equals risk. Therefore, increasingly stringent regulations and industry standards have been devised to stipulate the safety, reliability and quality requirements that these medical end products must adhere to.
In most cases, compliance with regulations such as IEC 62304, FDA Title 21 CFR Part 11, ISO 14971, IEC 60601 and other standards is necessary in order to be able to market the product. Since some standards contain guidelines on the development and risk management processes to be used, they support the development of quality medical products, and help prove their safety and reliability. Consequently, enforcing compliant processes, managing risks, and showing adherence to these requirements via traceability and process visibility facilitates compliance audits. Being able to do these in a cost-efficient manner could affect the overall success and profitability of the company.
So what are the most important medical regulations faced by developers of medical technology, and what requirements to these standards pose?
Regulations, standards and guidelines to comply with
As an international standard that is harmonized and applied in both Europe and the United States, IEC 62304 (titled Medical Device Software – Life Cycle Processes) defines the requirements of the lifecycle involved in the development of medical device software (or software embedded in medical devices). Due to defined and controlled processes, adhering to IEC 62304 ensures the quality of the medical end product (software). In addition to quality assurance, these processes can also help reduce the product's time to market, as well as the costs of development.
Related reading: Agile + IEC 62304: Using Agile in Medical Device Development
The standard provides guidance on carrying out an initial safety classification for the software being developed. Process and documentation requirements are then applied to each safety level, resulting in the creation of quality medical end products. Adherence to these processes needs to be shown throughout the lifecycle, along with complete end-to-end traceability, and the use of adequate risk management measures.
Subtitled 'Application of Risk Management to Medical Devices', ISO 14971 specifies a process for identfying, analyzing and controlling (reducing or mitigating) the hazards relevant to medical devices. It also helps plan, document, and monitor the effectiveness of these hazard control measures.
Related reading: Medical Device Risk Management in Compliance with ISO 14971
It's important to note that while ISO 14971 focuses specifically on the application of risk management to medical devices, there are other standards that also require developers to implement risk management practices. ISO 13485, the regulation covering Quality Management Systems for medical devices, calls for the application of adequate "risk management throughout product realization". By FDA regulations, risk assessment is required as part of design validation (820.30 (g)).
FDA Title 21 CFR Part 11
This part of the Code of Federal Regulations (CFR) by the US Food and Drug Administration (FDA) specifies the requirements to electronic records and e-signatures used in the development of medical devices. Basically, it gives guidance on what electronic records or signatures can be considered equivalent to (as reliable as) wet ink signatures.
As a collection of standards, IEC 60601 (Medical Electrical Equipment) governs the safety and effectiveness of all medical electrical equipment. The regulation contains a section specifically aimed at software used in medical devices (Part 1-4). As an internationally recognized standard, compliance with IEC 60601-1 (Part 1) greatly facilitates the (pre-market) approval of medical device products.
How to achieve and prove compliance?
Due to the high number of standards, and the countless requirements they specify, achieving and proving compliance with several standards can be a difficult process. Luckily, these standards have a lot in common: they are not all prescriptive in how you should achieve the specified goals, letting you find efficient ways to comply. Thus, using the right processes, you can satisfy the requirements of multiple standards at the same time.
Managing, controlling, and monitoring compliant processes is best supported by mature software tools built for this specific purpose. codeBeamer ALM's advanced capabilities greatly support compliance with these requirements. Intland’s Medical IEC 62304 & ISO 14971 Template is a preconfigured medical template that comes with artifacts and processes as well as risk management and reporting capabilities to help you adhere to the processes defined by these regulations.
Let us take a look at the most important requirements that most medical standards have in common, and how adequate software tools can help you tackle these requirements!
Ensuring the complete end-to-end traceability of all work items (establishing links between artifacts from requirements through source code and test cases all the way to release) is an almost-universal requirement in these standards. This also includes a complete change history on all work items, which should help you overview and control changes (answering all the questions of 'who, what, when, and how' regarding these changes). codeBeamer provides all this, as well as a convenient Traceability Browser to visualize links between work items.
Processes should also be controlled through configuration and enforcement. Intland's Medical Template contains preconfigured, but flexibly customizable workflows. codeBeamer's workflows capabilities allow you to add rules, guards, and e-signature authorization to certain steps, and also let you trigger actions by certain events, letting you automate, enforce and control processes, including approvals.
Risk management in codeBeamer is supported by preconfigured risk trackers, and a comprehensive Failure Mode and Effects Analysis (FMEA) template, as well as a full hazard management lifecycle process.
Related reading: HFMEA, Risk Management & ISO 14971 in Medical Software Development
This allows you to identify, analyze, prioritize, and control the mitigation/reduction of all relevant risks. At the end of the process, comprehensive documentation on all risk management efforts can be simply exported to facilitate compliance audits.
Quality Assurance and testing
QA & Testing in codeBeamer is supported by a variety of features: test cases with parameters may be defined, saved into test libraries, and re-used in later projects. Tests may be executed on multiple hardware and software configurations, and automated testing is available via codeBeamer's Jenkins integration.
Document management & reporting
Documentation and reporting is supported by customizable wiki dashboards, and codeBeamer's document management functionality which helps ensure data consistency by providing your teams with a single source of truth (central document management).