A new and rapidly growing technology, cloud computing is changing how medical device developers think about data and computational costs. However, for medical devices and quality systems, the significant benefits of cloud computing also come bundled with a new set of risks. That’s why experts from industry, medical device software development, and regulatory consulting recently pooled their knowledge to develop a new consensus report (CR) with the Association for the Advancement of Medical Instrumentation (AAMI).

Titled CR510, Appropriate use of public cloud computing for quality systems and medical devices, the new document provides guidance regarding the appropriate use of public cloud computing both as a component of medical devices and in support of quality systems.

“Cloud technology providers, medical device manufacturers, regulatory professionals and regulators alike should be able to refer to this document to identify known best practices for ensuring that the public cloud computing component of any medical device (or quality system component) works both within the spirit and the letter of regulations designed to ensure that medical devices improve patient outcomes and/or help manage healthcare costs, while also being safe and effective,” writes the document’s authors, who are members of a task group developed under the auspices of the AAMI Application of Quality Systems to Medical Devices Working Group.

Challenges with Change

One important consideration with public cloud computing is that service providers regularly make changes to their platforms that can affect computing or functions.

“Those changes can occur without your prior consent, sometimes without prior notice, and perhaps even without notifying you after the changes have been made,” says Randy Horton, vice president of solutions and partnerships at Orthogonal, who co-chaired CR510’s task group.

“When medical devices are approved, they are under strict ‘change control.’ That is, any change they undergo must be assessed to determine if it requires resubmission for approval by regulators like the U.S. FDA,” explains Joe Lewelling, senior advisor on content and strategy at AAMI. “That’s fine when you control everything, but when you are using cloud computing, you’re working with a service provider. CR510 is the first document that really addresses how to use third-party computing platforms to operate a medical device safely and effectively.”

The pioneering guidance document specifically details how to explore six recommendations that stakeholders should consider before implementing cloud-based technologies in a medical device or quality system:

  1. Identify your intended function of cloud computing.
  2. Determine whether cloud computing is a good fit for you with a risk-based approach.
  3. Identify how frequently your cloud computing resource updates and criteria for revalidation.
  4. Determine how your cloud computing vendor could adversely impact your process or device.
  5. Establish a contingency plan for cloud computing-based adverse events.
  6. Develop a process to detect cloud computing resource updates and/or resulting adverse events.

The task group, including co-chair Pat Baird, head of global software standards at Philips, assembled a team of industry experts to determine how cloud computing is different than other technologies that have made their way into regulated medical devices over the last several decades.

“The key insight we arrived at was that public cloud computing has challenged the traditional notion of control in a validated state—that I as a medical device manufacturer control every aspect of this device or system,” Horton says. “By introducing a modern, distributed, and abstracted model of computing, you’re trading away some control for increased reliability, richer feature sets, enhanced security, and a far more flexible model for infrastructure scaling.”

“The bottom line is that with the cloud, your medical device is living in a wonderful, but more chaotic world,” he adds. “And that’s OK, so long as you understand and explicitly acknowledge this change, gather the necessary knowledge, incorporate that into your risk analysis, and then make thoughtful design decisions.”

Following the success of CR510, the AAMI Standards Board has approved development of a new technical information report (TIR) that will further explore best practices on this important subject by providing additional conceptual and practical guidance. Parties interested in participating in the TIR subcommittee should contact [email protected].

Looking Beyond the Cloud

This CR and upcoming TIR are part of AAMI’s larger strategy to address the changing medical device landscape in the wake of sophisticated, disruptive technologies that bring new value to medical devices. Artificial intelligence in medical devices and programs, for instance, may change how they perform as their machine learning algorithms are exposed to new datasets, subverting premarket regulatory checks.

On Jan. 12, 2021, the U.S. FDA released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. The action plan describes a “multipronged approach to advance the agency’s oversight of AI/ML-based medical software.”

As part of the Action Plan, the FDA is having liaisons participate in the ongoing standardization efforts of the new AAMI AI Committee. The committee is currently collaborating with BSI to create new risk management standards for AI/ML use in medical devices–specifically addressing the problems posed by changing algorithms and subverted human expectations.