AAMI’s Groundbreaking Consensus on Cloud Technology in Medical Devices

Orthogonal is pleased to announce that a groundbreaking and much-needed industry guidance effort that we helped convene has reached the finish line! This is an important milestone in medical device software development and MedTech’s ability to safely and effectively embrace the important innovations of cloud computing, which are being adopted across every industry’s computing usage at an exponential rate.  

Because we couldn’t say it any better, we have republished (with minor tweaks) the press release that went out today from Association for the Advancement of Medical Instrumentation (AAMI), the sponsoring body for this effort:

A new and rapidly growing technology, cloud computing, is changing how medical device developers think about data and computational costs. However, for medical devices and quality systems, the significant benefits of cloud computing also come bundled with a new set of risks. That’s why experts from medical device software development and regulatory consulting recently pooled their knowledge to develop a new consensus report (CR) with the Association for the Advancement of Medical Instrumentation (AAMI).

Titled CR510, Appropriate use of public cloud computing for quality systems and medical devices, the new document provides guidance regarding the appropriate use of public cloud computing both as a component of medical devices and in support of quality systems.

“Cloud technology providers, medical device manufacturers, regulatory professionals and regulators alike should be able to refer to this document to identify known best practices for ensuring that the public cloud computing component of any medical device (or quality system component) works both within the spirit and the letter of regulations designed to ensure that medical devices improve patient outcomes and/or help manage healthcare costs, while also being safe and effective,” wrote the document’s authors, who are members of a task group developed under the auspices of the AAMI Application of Quality Systems to Medical Devices Working Group.

Challenges with Change

One important consideration with public cloud computing is that service providers regularly make changes to their platforms that can affect computing or functions.

“Those changes can occur without your prior consent, sometimes without prior notice, and perhaps even without notifying you after the changes have been made,” said Randy Horton, vice president of Solutions and Partnerships at Orthogonal, who co-chaired CR510’s task group.

“When medical devices are approved, they are under strict ‘change control.’ That is, any change they undergo must be assessed to determine if it requires resubmission for approval by regulators like the U.S. FDA,” explained Joe Lewelling, senior advisor on content & strategy at AAMI. “That’s fine when you control everything, but when you are using cloud computing, you’re working with a service provider. CR510 is the first document that really addresses how to use third-party computing platforms to operate a medical device safely and effectively.”

The pioneering guidance document specifically details how to explore six recommendations that stakeholders should consider before implementing cloud-based technologies in a medical device or quality system:

1. Identify your intended function of cloud computing.
2. Determine whether cloud computing is a good fit for you with a risk-based approach.
3. Identify how frequently your cloud computing resource updates and criteria for revalidation.
4. Determine how your cloud computing vendor could adversely impact your process or device.
5. Establish a contingency plan for cloud computing-based adverse events.
6. Develop a process to detect cloud computing resource updates and/or resulting adverse events.

The task group, including co-chair Pat Baird, head of global software standards at Philips, assembled a team of industry experts to determine how cloud computing is different from other technologies that have made their way into regulated medical devices over the last several decades.

“The key insight we arrived at was that public cloud computing has challenged the traditional notion of control in a validated state—that I as a medical device manufacturer control every aspect of this device or system,” Horton said. “By introducing a modern, distributed, and abstracted model of computing, you’re trading away some control for increased reliability, richer feature sets, enhanced security, and a far more flexible model for infrastructure scaling.”

“The bottom line is that with the cloud, your medical device is living in a wonderful, but more chaotic world,” he added. “And that’s OK, so long as you understand and explicitly acknowledge this change, gather the necessary knowledge, incorporate that into your risk analysis, and then make thoughtful design decisions.

Following the success of CR510, the AAMI Standards Board has now approved development on a new technical information report (TIR) that will further explore best practices on this important subject by providing additional conceptual and practical guidance. Parties interested in participating in the TIR subcommittee should contact [email protected].

Baird, Horton, and CR510 co-author (and Orthogonal CEO) Bernhard Kappe will share their insights about the new guidance document at the International Conference on Medical Device Standards and Regulation on October 18-20, 2021.

Looking Beyond the Cloud

This CR and upcoming TIR are part of AAMI’s larger strategy to address the changing medical device landscape in the wake of sophisticated, disruptive technologies that bring new value to medical devices. Artificial intelligence in medical devices and programs, for instance, may change how they perform as their machine learning algorithms are exposed to new datasets, subverting premarket regulatory checks.

On January 12, 2021, the U.S. FDA released its Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan. The action plan describes a “multipronged approach to advance the agency’s oversight of AI/ML-based medical software.”

As part of the Action Plan, the FDA is having liaisons participate in the ongoing standardization efforts of the new AAMI AI Committee. The committee is currently collaborating with BSI to create new risk management standards for AI/ML use in medical devices–specifically addressing the problems posed by changing algorithms and subverting human expectations.