Cloud Computing & Validation: 6 Key Recommendations

Randy Horton
Randy Horton
cloud computing illo resize

The following is the second of a three-blog series on the Validated State. This content builds on ideas first presented by Randy Horton, Bernhard Kappe and Pat Baird of Philips at the AAMI ISC 2021 conference. Orthogonal and industry partners will continue to present on this subject at conferences in 2022. For more details, visit our Events page.

Links to each blog:

Introduction

Cloud computing is an ubiquitous tool in modern software. Though MedTech has been slow to adopt the cloud compared to other industries, the benefits that cloud computing provides to any industry’s software products are numerous. The cloud’s on-demand service scales across remotely accessed computers, so as demand increases, computing power increases without driving up costs. The flexibility of the cloud allows software to be updated and deployed at a rapid pace. And firms of any size can use it, bypassing the need for in-house, self-maintained (and costly) servers and data centers.

Third-party cloud providers are constantly reinvesting their profits and effort into improving what makes the cloud so valuable, to the benefit of their user base. But this persistent improvement is a double-edged sword for the MedTech industry. When a developer places their software on the cloud, they are giving up some amount of control of their software to the third-party provider. The environment in which their software runs is subject to updates, rollbacks and changes that providers can make on their schedule, as they constantly improve the security and enhance the functionality of their systems. MedTech developers running software with safety concerns can’t assume they’ll be notified of updates ahead of time – or that they’ll recognize a change after it’s been made.

Relinquishing control can be a frightening prospect for the MedTech industry because it challenges the long-held paradigm of software validation. When medical device software and quality systems are validated, developers are confident they are running as intended, according to industry standards and in line with assurances made to the FDA. 

Cloud providers can change the environment on a dime. We don’t have that flexibility; our changes have to be managed according to industry protocols. And when changes to the cloud introduce a bug or compromise our data, we’re in a unique position of potentially doing harm to the patients, clinicians and providers that use and prescribe our software. Software as a Medical Device (SaMD) is not going to achieve everything it could for improving patient outcomes if we cannot get past this issue. We need to find the sweet spot of taking advantage of the obvious benefits of cloud technology while mitigating risks.

At Orthogonal, we’ve pioneered the adoption of modern software development techniques in our industry. We’re pro-cloud – generally and for medical devices. In addition to over a decade of working on medical devices, our legacy includes developing cloud-based software within a year of the introduction of Amazon’s pioneering AWS. That’s why we, along with a team of industry experts, formed an AAMI Consensus Report Task Group to tackle this issue.

The Consensus Report

AAMI CR:510:2021, Appropriate use of public cloud computing for quality systems and medical devices, seeks to answer the question: How can we maintain a validated state for our software when it is on a third-party computing platform that we do not fully control? The Task Group considered all of the benefits of the cloud and all of the challenges it raises, and determined that, given the circumstances, a continuously validated state cannot be achieved. Rather, the best that could be achieved is an intermittently validated state. 

An intermittently validated state is one where the validation is periodically examined and confirmed. It is a risk-based approach similar to the risk mitigation our industry undertakes when building a system of systems or relying on hardware provided by our clients. We need to get in the habit of asking ourselves: What changes can occur between validations? How likely is it that each change will impact safety and effectiveness? How do we detect the change? How long will it take for us to correct it, and what harm could happen in between? As long as medical device developers and manufacturers plan for the changes that may occur in real-time in the cloud, and respond thoughtfully and responsibly, the intermittently validated state can be reliably managed. 

The cloud will continue to change and grow, and medical device developers should expect the unexpected to happen. Medical device developers can tame the uncertainty of the cloud by approaching it with a proactive mindset through the below six key recommendations. 

Six Key Recommendations

The crux of the Consensus Report comes in the form of six key recommendations for responsibly embracing the cloud to support the operation of a medical device:

  1. Identify the intended function of the cloud computing resources within your product or service, including the impact of product and process areas.
  2. Apply a risk-based approach to determine whether the cloud computing resources are a good fit for your product or process.
  3. Identify the typical frequency of updates to the cloud computing resources, in order to determine a strategy and criteria for revalidating that is sustainable but also ensures enough control. The frequency depends on the risk and the immediacy of any harm that could happen.
  4. Assess the vendor and its processes with a level of scrutiny that is proportional to the ability of the vendor to adversely impact your product and processes via the cloud computing resources.
  5. Establish a plan in case an update adversely affects the software. That might include things like temporary failback: a process to return the software to a validated state while accommodating the change in the public cloud platform, and includes post-incident analysis to improve the future resiliency of the software.
  6. Develop a supplier monitoring process for promptly detecting an update and verifying whether your system has been adversely impacted after.
6 key recs CTA banner text e

These recommendations do not exist in a vacuum. They build on, but do not replace, existing industry practices and standards such as ISO/IEC 62304, ISO 13485 and 14971. As we continue to support and develop industry standards, Orthogonal and partners at AAMI will align our cloud guidance so they are consistent with the existing practices and standards.

 

What Comes Next

An AAMI Consensus Report is an initial discussion and guidance in emerging areas – it sets the tone for a formal examination into the topic. AAMI has organized Software Working Group 10 to develop a Technical Information Report on the subject, a process that will take time but that will produce even more valuable guidance on cloud computing in the MedTech industry. Randy Horton from Orthogonal and Pat Baird from Philips will reprise their CR roles as co-chairs for this TIR, and Bernhard Kappe will continue to be involved. It’s critical that Orthogonal and our business partners continue to help define standards for our industry. 

The Consensus Report Task Group will lead conversations about their findings across the community. In doing so, our industry can continue to responsibly adopt cloud computing, as well as contribute to shaping future guidance in a patient-centered, trust-focused way.

For more information on the Consensus Report, visit the links below:

To get in touch with the contributors of AAMI CR:510:2021, visit the links below:

This blog was the second of a three-blog series on the Validated State. Links to each blog:

 

Authors

Bernhard Kappe, CEO and Founder

Randy Horton, VP of Solutions & Partnerships

Pat Baird, Head of Global Software Standards, Philips

Reference

1. To get the full report, you must either purchase it or license it through your organization's AAMI access.

Related Posts

Article

Orthogonal-Contributed Article Wins Prestigious AAMI Prize

Article

End of the Line for EUA: Are You FDA Ready?

Article

TINY GVS: Reimagining the Validated State

Article

The Validated State: MedTech’s Standard of Trust