According to " Medical Device Registration Software Technical Review Guidelines requirements", including software for medical devices shall be submitted "at the time of registering the software description document ." The level of detail software description documents directly determined by the level of security and complexity of software. Therefore, the determination in the preparation of a medical device software description document, first make sure that the security level of the software.
According to requirements of YY / T 0664 "Medical Device Software software life cycle process", the manufacturer shall harm caused by system software that may affect the patient, the operator or other persons, giving each a software system software security level (A , B or C).
Based on the severity, should be given appropriate initial level of software security:
A grade: impossible to harm and health damage;
Class B: There may be no serious injuries;
C grade: possible death or serious injury.
So, how to determine the security level of a specific product it?
(1) according to the intended use of the product, the environment and the core functions of judgment.
The intended use of the main consideration clinical use software (such as diagnosis, treatment, monitoring, screening, etc.) and the degree of importance (such as important role, supporting role, complement, etc.), use of the environment the main consideration of the use of premises software (such as hospitals, homes, etc. ), type of disease (such as), patient populations (such as adults, children, the elderly, women, etc.) and user types the seriousness, urgency, infectious and other (such as professional users, ordinary users, patients, etc.), the core functionality of the main considerations software type of function (e.g., controls the drive, process analysis), implementation (e.g., CT image reconstruction using filtered backprojection algorithm or an iterative algorithm, anomaly identification using conventional image processing algorithm or artificial intelligence algorithms, etc.) and the complexity (e.g., the size of the algorithm, number of parameters, calculation speed).
(2) by risk management determines the level of risk identified
Each software system, giving security level before. C-level requirements shall apply. It should assume that the probability of software may cause the system fails like failure to function as defined as 100%.
If the software failure can cause the risk of death or serious injury, followed by the manufacturer in conjunction with the quality management system requirements, the establishment of the software life cycle processes and software security level matches, including software development, software maintenance process, configuration management process, risk management processes and problem-solving process. At the same time, manufacturers can be of good software engineering practices improve the quality management system requirements, software quality assurance. In addition, the manufacturer shall ensure that their information security software, to ensure confidentiality, integrity and availability of health data. From the above risk control measures to reduce risk to an acceptable level (such as YY / T0316 specified), or reduce the probability or consequences of software failure to reduce deaths caused by the failure or serious casualties, software security level can be reduced from Class C to B level; if the software fails a non-serious risk of injury caused by the same reduced to an acceptable level of risk control measures by the above, the software security level can be reduced from class B to A.
From the above, for the security level of the software, there is no hard and fast rules. Business (manufacturers) should be based on their own circumstances, include the intended use of the product, environment and core functionality and enterprise risk identification and control level to decide. That is for the same product in different enterprises may also correspond to different levels of security, because of its ability to control risk is different.