Hey You, Get On the Cloud: Safe and Compliant Use of Cloud Computing with Medical Devices.

Numerous well-established principles, standards, and best practices serve as a robust framework for hardware-based medical device development, manufacturing, and maintenance, with the goal of ensuring ongoing safety and effectiveness. These range from broad frameworks (e.g., the Food and Drug Administration’s [FDA’s] Total Product Life Cycle) to specific standards, guidelines, and broadly accepted best practices (e.g., the ubiquitous ISO 13485 and corresponding implementation in the FDA Quality System Regulation requirements [21 CFR 820]). Because of the origin of medical devices in hardware, sections of these standards/regulations were clearly written with hardware in mind. The advent of devices that are exclusively software (Software as a Medical Device [SaMD]) created challenges for the medical device industry, ranging from development methodologies to manufacturing and postmarket maintenance and upgrades. These continue to be addressed via the adaptation of existing medical device frameworks for the SaMD life cycle in the creation of new standards and best practices (e.g., developing practices outlined in IEC 62304 and the quality principles promulgated by the International Medical Devices Regulator Forum [IMDRF]). Most recently, the execution of software has increasingly moved away from local storage and processing toward a cloud-based paradigm. This presents new challenges and opportunities throughout the development and product life cycle. However, frameworks for a cloud-based life cycle have not been fully defined. This article seeks to address the current lack of a consensus framework/guidance/ initial best practices and regulatory uncertainty around the use of cloud technology as a component in the operation of regulated medical devices. The authors believe that this issue can best be addressed by creating a well-understood and repeatable pathway, which this article can help kickstart, followed by progression to a consensus report. After that, if there is collective value for the ecosystem to take this pathway further, this work could evolve into an AAMI Technical Information Report (TIR) or approved standard. The objective of developing new standards or guidance is to provide the industry with a clearly marked path to move forward to a “medical device cloud framework” that takes into account the following: • Use of cloud technology in a sustained, compliant manner • A large collection of available cloud technology currently exists that is well established, reliable, and being used in the regulated industry • The existence of established, highly competent cloud technology providers for cloud computing • Certain aspects of cloud technology actually can be less risky compared with traditional medical device computing models This article will discuss the following topics: • History of the cloud • The National Institute of Standards and Technology’s (NIST’s) definition of the cloud • Current obstacles and compliance issues related to cloud usage in the FDA-regulated industry • Critical thoughts in defining usage of cloud technology • Critical thoughts on the risk management approach • Critical thoughts on the validation approach • Critical thoughts on the purchasing control approach Clay Anselmo is principal quality