Storing and developing SAMD (Software as a Medical Device) in the Cloud

[QSEngineer20850]

I work at a medical device company under 21CFR 820 and ISO 13485, and we are starting to get into Cloud tools to develop software as a medical device. There is also a large push to use the cloud platform to distribute the software to our end users/customers. We currently do not work a lot with software as a product and I do not have a lot of experience in cloud systems or deploying software. I have put together some questions that keep coming up and would appreciate any advice anyone has about creating a compliant process.

1- How can you validate cloud software/environments that are hosted in leased servers?
2- What controls need to be in place in the cloud environment to maintain compliance?
3- In general what controls need to be in place around the storage and deployment of software?
4- What US and EU regulations/standards/guidances cover software as a product? (I know that software must be treated as a product under CFR and ISO I am asking if there is more specific information to cover software)

 

[yodon]

You're definitely hitting on some challenging points. By and large, I think regulatory bodies are playing catch-up here as well.

What are the services your software depends on? What level of security is required (are you storing any PHI?)? What level of availability is required (if 24/7 guarantee, multiple, redundant, geographically diverse sites probably necessary).

In terms of storage and deployment of software, I think the main focus is on ensuring the software is adequately protected. How will you coordinate updates with your user community?

As with most everything these days, take a risk-based approach. Think of what all might go wrong and put the controls in place to minimize.

Not completely sure what you're looking for in terms of question 4 but here are some thoughts

• ISO 13485 is the standard for device development. It lines up pretty well with the US QSR (21 CFR 820) but there are some differences.
• IEC 62304 is the standard for medical device software
• If you go to the FDA search page for guidance docs and search for 'software' you'll see several that are probably relevant (esp. the one on premarket submissions and the one on validation)
• If you go to the IMDRF site and search on software, you'll see some relevant ones.
• Cybersecurity is huge now. Every country / jurisdiction has their own cybersecurity guidelines / requirements. You can, for example, go to the FDA guidance search site (per above) and search on cybersecurity to get an idea there. UL has a couple of cybersecurity standards you should probably check out.

 

[dgrainger]

May be considered to be an Information Society service as well as a medical device.

EUR-Lex - 32015L1535 - EN - EUR-Lex

 

[olieidel]

(First post on this forum, so bear with me)

In my understanding you're hitting upon two points:

1. Using cloud-based software when developing your software as a medical device --> you need to validate it according to ISO 13485
2. Developing software as a medical device which targets the cloud as runtime --> you need to develop and test it based on IEC 62304.

For 1), you validate it just like any other software which is part of your QMS; i.e. you define requirements, run tests and check whether those requirements are fulfilled, do a risk analysis and sign off on it.

A few specifics apply to cloud-based software: You may not have control over updates; you may also have less control over uptime. So you should analyze those as part of your risk analysis. Typically, a valid outcome could / should be that cloud uptime is usually higher (that's good) and updates are okay unless they introduce breaking changes.

To answer your questions specifically:

1. Create a validation plan, do the validation, write the validation report; just like validating any other software. Be aware of the cloud specifics as stated above.
2. Depends on your country, company and customers. In the EU, GDPR compliance is an important topic. Your customers might want certain IT security standards like 27001. Depending on how sensitive the data is, maybe also encryption.
3. Depends on your software and what sort of guarantees you need re: uptime and availability.
4. In the EU, it's the MDR and everything else stated already by @yodon

Hope that helps!