The draft guidance replaces the 2018 draft version and is intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the Total Product Life Cycle, and to outline the FDA’s recommendations more clearly for premarket submission content to address cybersecurity concerns.
This guidance document is applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD).
FDA will assess the adequacy of the device’s security based on the device’s ability to provide and implement the security objectives below throughout the system architecture.
Using an Secure Product Development Framework (SPDF) to Manage Cybersecurity Risks
The primary goal of using an SPDF is to manufacture and maintain safe and effective devices and it includes:
The agency is accepting public comments on the guidance until July 7.
The IVDR has a date of application of 26 May 2022. New or significantly modified IVDs must meet the full requirements of the IVDR to be placed onto the market after May 26, 2022. Until that date, multiple IVD tests are added to EU market under the old and less stringent directive (IVDD). There will be a staggered transition period of 5 years for these legacy IVDs placed on the market under Directive 98/79/EC by class (26 May 2025 for devices that fall in class D under the IVDR, 2026 for class C, 2027 for class B and A sterile).
The main aim of this guidance is to point on where to focus limited resources in the shorter term to ensure IVDR compliance as soon as possible and by the date of application. This guidance is applicable for Member States, the European Commission and all interested parties (e.g., IVD manufacturers) to ensure that the IVDR (EU) 2017/746 is operational from 26 May 2022.
The guidance divides the priorities into two categories:
Standards. (Availability of harmonised European standards cited in the Official Journal of the European Union (OJEU) to confer presumption of conformity would support 12 compliance with the requirements of the IVDR for manufacturers.)
The Fitbit Irregular Rhythm Notifications feature is a software as a medical device (SaMD). The Fitbit Irregular Rhythm Notifications feature analyzes pulse rate data to identify heart rhythms that are consistent with atrial fibrillation (AFib) and if identified, provide a notification to the user. Devices analyzes pulse rate gathered from PPG pulse rate data to identify episodes of irregular heart rhythms suggestive of atrial fibrillation (AFib) and provide a notification to the user
Software Testing Summary:
The Fitbit Irregular Rhythm Notifications presents a “moderate” level of concern (LOC) as defined in FDA’s Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (May 11, 2005) (Guidance Document). The software components consist of the Irregular Rhythm Notifications algorithm, which resides/runs on Fitbit servers, and the mobile app used for on-boarding, education and display of notification results. Testing supports that the algorithm analyzes pulse rate data and classifies it as having signs of AFib, having no signs of AFib, or unanalyzable. Testing of the mobile application demonstrates that the Fitbit Irregular Rhythm Notifications mobile application adequately surfaces on-boarding/educational information, generates user notifications when the feature identifies an irregular rhythm suggestive of AFib, and facilitates viewing of that notification.
Human Factors Testing Summary:
A human factors study was designed to evaluate the critical and noncritical tasks associated with the use of the device. Human Factors Usability testing was performed using a simulated version of the Fitbit Irregular Rhythm Notifications mobile app, representative of the final app.
There were a total of 30 subjects distributed into two (2) user groups:
○ Have concern regarding AFib and have an active interest in monitoring potential AFib, and
○ Would use the app due to high interest
○ Do not have concern regarding AFib and do not have an active interest in monitoring potential AFib, and
○ Might use the app due to casual or passing interest.
The Human Factors Validation demonstrated that the Fitbit Irregular Rhythm Notifications meets the special control requirements for human factors and usability testing that demonstrates the following:
Testing was also performed to assess consumers’ ability to correctly self-select if the Irregular Rhythm Notifications app is intended for them. This testing involved 33 subjects, including both users for whom the app is intended, as well as persons outside the app’s intended use population. The testing concluded that users can adequately self-select if the device is intended for them.
© 2022 BeanStock Ventures