3 Critical Considerations for Evaluating Off-the-Shelf Software for Medical Devices
The rapid pace of technology innovation has led to the medical device sector becoming an integral part of the healthcare industry, delivering benefits such as reduced patient recovery time and lower cost of instruments. Unfortunately, the average time-to-market for a medical device still falls between 3-7 years.
In order to speed time-to-market, medical device manufacturers form strategic partnerships to leverage commercially available, off-the shelf components and software from vendors, and manufacturers augment their development teams with third-party professional services. When evaluating software vendors, medical device manufacturers must mitigate three critical risk factors: clinical risk, human factor risk, and cybersecurity risk. As a result, manufacturers would be wise to understand the impact of these three risk factors, and the considerations they should make when choosing the right software partners to get to market faster and safer.
Clinical risk is a risk that the device does not work as intended by the manufacturer. The stakes are as high as can be here, because if a device does not work as intended, patients will be at risk of serious (or even deadly) harm. For example, consider an infusion pump that is set to deliver a pain medication, such as dopamine, at a certain dose rate. If the pump malfunctions by delivering the drug at a higher rate than programmed, the patient could face significant harm – or even death.
To address this risk, medical device manufacturers implement development processes under ISO 13485, safety standards such as EN 60601-01, and institute software life cycle processes under IEC 62304. Pre-developed software that is generally available, but not specifically developed to be incorporated into a medical device, is defined as SOUP (Software of Unknown Provenance) under IEC 62304. This type of software is not required to be certified to IEC 62304; however, the medical device manufacturers must de-risk SOUP per the IEC 62304 requirement as follows:
- The software toolkit provides the functionality and performance that is depended upon
- The device provides the support necessary to operate the software toolkit within its specification
- The software toolkit performs as required for the medical device manufacturer’s system
In light of the SOUP requirement, medical device manufacturers should choose partners that support their IEC 62304 process, as well as other compliance needs such as quality and standards audits – and their global regulatory strategy and process. Support of these standards and processes means transparency into testing, verification, validation, quality system, and bug reporting processes – among other development process logistics which ensure that the off-the-shelf technology, and the company developing it, is low-risk.
Human Factor Risk
Human factor risk is a risk that the device is not used properly by patients/providers. In addition to harming a patient, if a device is not used correctly it might deliver false or inaccurate information, impacting long-term patient treatment and care. Returning to the infusion pump example: the device can work exactly as it’s intended, but if the user interface is not intuitive – and the user experience overall is adverse – the risk of an operator (such as a nurse, doctor, or technician) misusing the pump is critically high.
To address this risk, medical device manufacturers should offer user interfaces that are as comprehensive, easy-to-use, and intuitive as possible. Manufacturers should aim to deliver user interfaces and experiences that are on par with modern smartphones, which have set the standard for immersive user interfaces and stellar user experience across numerous industries.
However, this innovation has to be carefully delivered in order to not lose sight of the pre-smartphone generation of patients and providers. For example, the largest part of our population – baby boomers – are reaching the age where they require more from the healthcare system in the form of preventative and clinical care. Since care is not only delivered in hospitals but also through independent care centers and care in the home, medical device developers must be mindful of the older population that might not be comfortable with the most modern of technology.
Why should medical device manufacturers implement third-party software that is easy-to-use, easy to develop upon, and allows for easy and efficient iterative prototyping? Because the end-goal of the manufacturers’ Human Factors Testing should not be simply “passing the tests”; rather, it should be converging to the best possible and most adoptable device design. Being able to build prototypes quickly and easily – and iterate on these prototypes just as rapidly – helps manufacturers reach this goal. Furthermore, the prototypes are never wasted, as each successive prototype iteration influences the final device design – and since the prototype iterations are informed by the users through the Human Factors Testing, this also lowers the human factor risk. Choosing development tools and environments which facilitate the ability to prototype rapidly and implement changes quickly and efficiently allows developers to achieve designing the best possible and most adaptable device design.
Cybersecurity risk is a risk that the device can be hacked, which not only potentially compromises the patient’s safety, but also can result in sensitive patient data being stolen – which is a huge issue in itself. Once again, going back to the infusion pump example, if the infusion pump is hacked, the worst-case scenario is that the dose rate of the drug being infused can be changed to a dangerously high level, and the patient can be harmed or killed. Furthermore, the theft of patient data infringes on patient privacy rights.
To address this risk, medical device manufacturers must implement updated cybersecurity practices at device inception to eliminate security hazards throughout all stages of the creation process. Cybersecurity regulations and guidance specific to medical devices are continuing to evolve across the globe, especially in the United States and the European Union. As a result, medical device manufacturers should participate in the various medical cybersecurity working groups to stay apprised of the latest advances in the development of these medical-specific cybersecurity standards and guidance.
In addition, medical device manufacturers should select partners who develop third-party, off-the-shelf software solutions that comply with the most current cybersecurity guidance and also participate in industry cybersecurity working groups – which effectively places the manufacturers ahead of the guidance as they continue to evolve.
As an aside, device manufacturers will need to consider how insurance reimbursement folds into their development strategy and timeline, and that is a discussion manufacturers should have with insurance reimbursement experts and specialists.
Let the Risks Be Your Guide
The three critical risk factors detailed above – clinical risk, human factor risk, and cybersecurity risk – should be of vital importance to device manufacturers when selecting software partners that develop commercial-off-the-shelf software used in device development. To bring safe, effective and innovative devices to market faster, medical device manufacturers must mitigate these three risk factors within their own development program. In parallel, medical device manufacturers should hold their third-party software vendors to the same standards and best practices to mitigate these risks – essentially sharing this burden within their software partners.
By collaborating with their software technology providers to mitigate these risks, device manufacturers will be well-positioned to adhere to the most current and sophisticated regulatory strategies and follow high-tech cybersecurity best practices – as well as deliver the best possible user experience. The end result? Happier and healthier patients.