Currently developing a software medical device locked to deployment on a non-medical, internally developed general computing platform.
The requirements and mitigations are defined and evaluated for the system as a whole, including the non-medical portion. This has lead to mitigations being identified and implemented entirely within the scope of the computing platform (e.g. OS/HW redundancy features needed by the medical device, OS firewall settings, OS notifications....). It is a known/fixed computing platform that the product will be verified/validated on.
I would like to take advantage of this and rely directly on the verification of the mitigations on the computing platform, without relying on additional external mitigations (e.g. to check the firewall settings at installation/runtime), however I keep running into a logic wall of, if it contains the implementation of mitigations, should it be:
- Considered for risk classification within SDLC?
- Required to meet all the documentation rigor of class A/B/C?
- Be considered a medical device?
I'm very open to answers, or even re-thinking the problem as a whole.
/Chris K.
The requirements and mitigations are defined and evaluated for the system as a whole, including the non-medical portion. This has lead to mitigations being identified and implemented entirely within the scope of the computing platform (e.g. OS/HW redundancy features needed by the medical device, OS firewall settings, OS notifications....). It is a known/fixed computing platform that the product will be verified/validated on.
I would like to take advantage of this and rely directly on the verification of the mitigations on the computing platform, without relying on additional external mitigations (e.g. to check the firewall settings at installation/runtime), however I keep running into a logic wall of, if it contains the implementation of mitigations, should it be:
- Considered for risk classification within SDLC?
- Required to meet all the documentation rigor of class A/B/C?
- Be considered a medical device?
I'm very open to answers, or even re-thinking the problem as a whole.
/Chris K.