The Medical Device industry is rapidly adopting technologies that enable communication and connectivity of health products and systems to improve both speed and quality of care as well as patient safety. The users (i.e. hospitals and others) are demanding an approach that will support interoperability among multiple independently sourced medical devices. Industry will require standardization to support such interoperability. Government and regulators, on behalf of the patients and in compliance with their mission to protect public health, as well as users and manufacturers require that such interoperability is safe. This complementary webinar will introduce the eHealth sector and applications, outline the challenges and risks inherent in connecting heterogeneous equipment into medical device systems, and provide insights to how manufacturers can demonstrate compliance with the rapidly changing regulatory landscape for interoperable medical devices. This webinar was presented by UL eHealth experts on October 30, 2013.

1. eHealth – Medical Systems
Interoperability & Mobile Health
October 30, 2013
Presenters:
Anura Fernando - Principal Engineer, Medical Software & Systems Interoperability
Mark Leimbeck – Program Manager, Quality and Training
Moderated by:
Laura Elan – Program Manager, Global Service Lead - eHealth
UL and the UL logo are trademarks of UL LLC © 2013
Copyright © 2013 UL LLC

2. AGENDA
Why Are We Here?
New Devices and the Need for Safe Interoperability
Using Standards to Support Regulations
Conclusion
2
Copyright © 2013 UL LLC

3. Why Are We Here?
RISK!
More specifically, from IEC 60601-1, Clause 16.1
.…The MANUFACTURER of an ME SYSTEM that is (re)configurable
by the RESPONSIBLE ORGANIZATION or OPERATOR may use
RISK MANAGEMENT methods to determine which configurations
constitute the highest RISKS and which measures are needed to
ensure that the ME SYSTEM in any possible configuration does not
present an unacceptable RISK….
3
Copyright © 2013 UL LLC

4. Examples
ABSENCE OF INTEROPERABILITY
PATIENT CONTROLLED ANALGESIA PUMPS1 - VA representatives
recently stated that PCA pumps with an integrated CO2 monitor
could have prevented 60% of adverse events in 69 root cause
analyses related to PCA pumps.15
4
Copyright © 2013 UL LLC

5. Examples
INTEROPERABILITY “INDUCED” ERRORS
EHR prompt nearly kills prison inmate2
“An inmate at a California correctional facility nearly received a lethal
dose of heart medication last week at the prompting of a newly
implemented electronic health record system.”
5
Copyright © 2013 UL LLC

6. Regulatory Response
It Has Come to Our Attention Letter†
“It has come to our attention that you are currently marketing the XXXX
analyzer …
… Since your app allows a mobile phone to analyze the dipsticks,
the phone and device as a whole functions as an automated strip
reader. When these dipsticks are read by an automated strip reader,
the dipsticks require new clearance as part of the test system.
Therefore, any company intending to promote their device for
use in analyzing, reading, and/or interpreting these dipsticks
need to obtain clearance for the entire urinalysis test system…”
† FDA
Website 5/21/2013
6
Copyright © 2013 UL LLC

7. Who is Responsible?
Manufacturer of any product which is1
“an instrument, apparatus, implement, machine, contrivance, implant,
in vitro reagent, or other similar or related article…
• intended for use in the diagnosis of disease or other conditions, or in
the cure, mitigation, treatment, or prevention of disease… or
• intended to affect the structure or any function of the body of man or
other animals…”
1. section 201(h) of the Federal Food Drug & Cosmetic (FD&C) Act it will be regulated by the Food and Drug Administration
(FDA)
7
Copyright © 2013 UL LLC

8. And What is the Manufacturer
Responsible For?
Preamble5 Comment #4
“…In fact the new regulation is less prescriptive and gives the
manufacturer the flexibility to determine the controls that are
necessary commensurate with risk.
The burden is on the manufacturer, however, to describe the types
and degree of controls and how those controls were decided
upon…”
8
Copyright © 2013 UL LLC

9. What Decisions are Being Made?
21 CFR 820.302 Design controls. Each manufacturer shall:
•
establish and maintain procedures to control the design
• ensure that the design requirements address the:
• intended use of the device,
• needs of the user and patient
•
include software validation and risk analysis, where appropriate…
9
Copyright © 2013 UL LLC

10. Who is Responsible?
Management is ultimately responsible for determining and
implementing risk based decisions to ensure the safety and
effectiveness of the device
10
Copyright © 2013 UL LLC

11. The World Today – New Devices and the
Need For Safe Interoperability
Copyright © 2013 UL LLC

12. 12

13. Smart Grid – Even More Heterogeneity
http://energyinformative.org/wp-content/uploads/2012/01/smart-grid.jpg
Slide 13

14. Key Common Challenges for Systems Integrators
Understanding What Can Go Wrong
Lack of Clarity on Design Requirements and Needs
Inadequate Risk Controls
Time and Cost
Responsibility / Accountability (Who Owns the System?)
Slide 14

15. …can result in…
Mars Climate Orbiter
- Mismatched units
Ariane 5
Floating point value too large to be
represented by signed integer
Therac - 25
- “unlikely” sequence of keystrokes
- Integrated re-used sw into
incompatible hardware (no interlocks)
- Improper V&V – no pre-release
integration testing
http://50quidsoundboy.net/wp-content/uploads/2011/05/thumb-21367-radiation_therapy.jpg
Slide 15

16. So, Are There Medical Device and HIT Risks?
Acute Care
http://henican.com/2011
Telemedicine
http://www.telemedicineinsider.com/
Slide 16

17. A Growing “Ecosystem” of Healthcare Systems
http://www.cs.purdue.edu/homes/bertino/IIS-eHealth/images/ehealth_full.jpg
Slide 17

18. …connected via communications technology
creates the world of eHealth and mHealth
18
http://intpmcomms.com/wp-content/uploads/2010/08/iStock_000011296304XSmall1.jpg

19. “The Future” is Here
http://www.themarysue.com/wp-content/uploads/2012/01/tricorder-spock.jpg
Slide 19

20. Addressing Safety and Security
http://scholar.lib.vt.edu/ejournals/JOTS/v32/v32n1/images/mcquade1.jpg
Slide 20

21. Safety and Security Defined and Evolving
SAFETY: freedom from unacceptable risk [ISO 14971:
2007]
SAFETY: freedom from unacceptable RISK of physical
injury or damage to the health of people or damage to
property or the environment
[SOURCE: IEC 80001-1:2010, definition 2.30]
DATA AND SYSTEM SECURITY: an operational state of a
medical IT network in which information assets (data and
systems) are reasonably protected from degradation of
confidentiality, integrity, and availability. [IEC 80001-1:
2010]
Slide 21

22. FDA “Accessory Rule” – Avoiding Weak Links
From FDA Mobile Medical Application Draft Guidance:
“Accessories to classified devices take on the same classification as
the "parent" device. An accessory such as software that accepts
input from multiple devices usually takes on the classification of the
"parent" device with the highest risk, i.e., class.”; Final Rule, Medical
Devices, Medical Device Data Systems, 76 Fed. Reg. 8637, 86438644 (Feb. 15, 2011).
The Medical Device Data Systems (MDDS) Final Rule changes
this and allows for ease of innovation
Slide 22

23. Regulations Begin Considering the Risks
FDA Final Rule: MDDS – 15 Feb 2011
FCC Requirements for MBAN and FDA MOU – 24 May 2012
Draft Guidance for Home Use Devices – 12 Dec 2012
FDA Draft Guidance: Management of Cybersecurity – 14 June 2013
FDA Guidance: RF Wireless Technology…– 13 Aug 2013
FDA Final Rule: Unique Device Identification Final Rule – 24 Sept 2013
FDA Draft Guidance: Global UDI Database – 24 Sept 2013
FDA Guidance: Mobile Medical Applications – 25 Sept 2013
23

24. Are You an “App” Developer?

25. Low Risk – Unregulated?

26. Higher Risk – Regulated?

27. Have you considered the uses?
VS.

28. Have you considered the users?
VS.

29. Have you considered the environment?
Acme Insurance
WWW

30. What are the risks with safety-related data?
1001010010100101101010

31. Incorrect Information Exchange
EXAMPLE:
Single Event Upset or Data Corruption
1001010010100101101010
X
31

32. Information Not Provided
EXAMPLE:
No Data
32

33. Incorrect Timing of Information
EXAMPLE:
Information provided when app is inactive
1001010010100101101010
33

34. Premature Termination
EXAMPLE:
Dropped Signal
34

35. Have you considered systems safety and security?
Acme Insurance
WWW

36. What could go wrong?
Acme
Insurance
WWW
36

37. Do you test to support your safety claims?
Modified from: http://www.fda.gov/ucm/groups/fdagov-public/documents/image/ucm260345.jpg

38. Do you test to support your security claims?
Cryptographic Verification
))
))
)))
http://img.mit.edu/newsoffice/images/article_images/20110214123646-1.jpg
38

39. Using Standards to Support Regulations
Copyright © 2013 UL LLC

40. Assurance Cases Can Help Support Claims
https://buildsecurityin.us-cert.gov/bsi/1051-BSI/version/default/part/ImageData/data/Assurance_Cases_and_LifeCycle_Processes.png
Slide 40

41. Standards Can Help Guide Assurance Cases
Safety Standards
https://buildsecurityin.us-cert.gov/bsi/1051-BSI/version/default/part/ImageData/data/Assurance_Cases_and_LifeCycle_Processes.png
Slide 41

42. Standards for eHealth and mHealth Interoperability
Aug 6, 2013 FDA Recognized Consensus Standards Support Interoperability:
There are 25 new standards for interoperability grouped mainly into three categories:
1. Managing risk in a connected and networked environment;
2. Nomenclature, frameworks and medical device specific communications,
including system and software lifecycle process;
3. Cybersecurity standards from the industrial control systems arena that are
relevant to medical devices.
Coming soon:
AAMI / UL 2800 – interoperable medical device interface
safety
…and many more are here and coming…
Slide 42

43. UL Works Directly with Government Agencies
To Help Inform Health IT Policy
FDA Safety and Innovation Act (FDASIA WG)
43
http://www2.idexpertscorp.com/images/uploads/ehr.jpg
http://static.ddmcdn.com/gif/wireless-network-1a.jpg
http://www.commercialintegrator.com/images/

44. We Have The Technology…We Can Build It… Standards
and Regulations are Emerging…
Are You Prepared ???
http://www.securedgenetworks.com
IDEA
Managing innovation and regulatory change
Mobile Medical Applications
PRODUCT
&
SYSTEM
Hospital IT Equipment Providers
Wireless Medical Devices
44

45. Managing innovation during regulatory change
IDEA
PRODUCT
In the Development Cycle or Already in the Field
Technological
framework
UL
Safety
Framework
can be
your
partner
Comprehensive
Suite of Services
Regulatory
Framework
Safety
Framework

46. Thank You For Your Interest
How can UL help you?
More information – www.ul.com/eHealth
Email: Medical.Inquiry@ul.com
Mobile Medical Apps
Wireless Medical Devices
Hospital IT Infrastructure
Advisory services for medical
device classification,
training navigation of
regulations and submission
support,
•
Advisory services for
satisfying regulatory
guidance
•
•
Testing services using
international consensus
standards to support
regulatory compliance
claims:
Advisory services for
Medical Device Data
Systems (MDDS)
classification and
regulatory strategy
•
Testing / conformance to
global standards
(including recent FDA
recognized consensus
standards for
interoperability)
•
Advisory services for
medical device
classification, training,
and regulatory
submission support for
system integrators
Quality Management System
registration
Assessment to interoperability
standards
•
Coexistence
•
Performance
•
Security
•
Data integrity
EMC and wireless coexistence testing
•
Quality of service
(QoS)
Clinical & pre-clinical testing
and test planning
•
Continua Alliance
Testing
•
Safety / EMC
Usability advisory services,
testing, and certification
FDA Submission support
including pre-audit services
46

47. Contact UL
Email: Medical.Inquiry@ul.com
Web: www.ul.com/Medical
47