IEC 81001-5-1 要求制造商在其質(zhì)量管理系統(tǒng)中定義安全生命周期過(guò)程的適用性(4.1.3 適用性的確定)�����。
在 MDR 中�����,似乎已經(jīng)預(yù)見(jiàn)到了這種適用性�����。附錄 I 17.2 規(guī)定:
"For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation."
因此,每個(gè)軟件和每個(gè)包含軟件的產(chǎn)品都必須自動(dòng)提供符合 IEC 81001-5-1 標(biāo)準(zhǔn)的安全文件�����。
我認(rèn)為這有點(diǎn)夸張�����。我可不想指導(dǎo)一個(gè)包含軟件并在數(shù)字顯示屏上顯示溫度值的數(shù)字式臨床體溫計(jì)按照 IEC 81001-5-1 進(jìn)行完整的安全生命周期流程�����。尤其是 IEC 81001-5-1 并沒(méi)有規(guī)定任何工作和文件限制(比較 IEC 62304的安全級(jí)別)�����。
因此�����,我們可以利用 IEC 81001-5-1 中的注釋(4.1.4�����,注釋1)來(lái)限制安全生命周期流程的適用性:
"For HEALTH SOFTWARE some IT exposure, networking, or data interfacing capabilities are assumed and therefore a secure software LIFE CYCLE is followed"
因此�����,我建議安全程序指令中的適用性表述可以是:
"As soon as a medical device is software or contains software AND at the same time has any form of data interface to other devices or systems, it falls under the scope of the security lifecycle process."
有趣的是�����,這也與目前的《Cyber Resilience Act》草案不謀而合�����,該法案未來(lái)將適用于歐洲的所有產(chǎn)品(醫(yī)療器械和其他一些產(chǎn)品除外):
'This Regulation shall apply to devices incorporating digital elements, the intended or reasonably foreseeable use of which involves a direct or indirect logical or physical data connection to a device or network.'
看來(lái),MDR附錄I第17.2 條對(duì)信息安全流程應(yīng)用的定義過(guò)于狹窄�����。希望公告機(jī)構(gòu)能遵循這一推理方法�����!
京公網(wǎng)安備11010802046783號(hào)
