Medical Certification: Bringing genomic microcores to clinical use VoltedFlow GmbH Industriestrasse 23, 6055, Alpnach Dorf, Switzerland 1
Summary VoltedFlow has developed solutions to vastly speed up DNA and RNA pattern searching, the technology transforms personal computers into powerful machines for genetic analysis. This will initially bring benefit to university and pharmaceutical researchers in the field of genomics, but the convenience and comparatively low cost of VoltedFlow's solutions will ultimately enable widespread deployment throughout the clinical environment. This will provide physicians and patients with rapid access to genetic information to facilitate improved diagnosis and treatment. Clinical use requires the products to be certified as medical devices. This paper describes the approach that VoltedFlow proposes to achieve medical certification. 2
Table of Contents 1 Introduction... 4 2 Regulation... 6 2.1 Medical Devices... 6 3 Applicable Standards... 8 4 Software Development IEC 62304... 11 4.1 Classification... 11 5 FPGA Development RTCA/DO-254... 13 5.1 Classification... 13 6 Hardware Development IEC 61010... 15 6.1 Electrical Safety... 15 6.2 Electromagnetic Compatibility... 15 7 Capability Roadmap... 16 8 Disclaimer... 18 3
1 Introduction Advances in the field of medicine are increasingly derived from the use of genetic information to enhance the effectiveness of diagnosis and treatments. In response, the discipline of genomics has arisen to study DNA sequences within the genome. DNA sequences contain a huge amount of data; decoding and analysing the genetic information contained within them requires extensive computational power. The time taken to process the data is a major bottleneck in the analysis of genetic information and an impediment to genetic research. DNA pattern searches are currently carried out using expensive supercomputers, computing clusters, and dedicated workstations. VoltedFlow was established with the aim of speeding up DNA and RNA pattern alignment and searching by harnessing the latest advances in technology in a manner flexible enough that that it can easily be adapted as the sequencing process is improved and updated. VoltedFlow's "genomic microcore" solutions exploit the performance benefit that can be gained by implementing computational algorithms directly in hardware. A dedicated hardware design provides the opportunity to run many parallel processing paths optimised for this task. The result is an efficient algorithm that can complete genetic alignment and pattern searches much faster than is typically possible today. The genomic microcore technology is implemented on commercially available Field Programmable Gate Array (FPGA) technology. Algorithms are implemented in the FPGA hardware description language "VHDL". The use of VHDL microcode allows for rapid algorithm development, scalability and easy updates to hardware deployed in the field. VoltedFlow's genomic microcore technology is available in several forms including: Accelerator Card Intellectual Property Cores The accelerator card is a PCI-e expansion card hosting the alignment and searching algorithm on a powerful FPGA. The accelerator card is supported by device driver software and integration with common genomic software packages. Intellectual Property (IP) cores, consisting of the VHDL code, layout files and verification tests, are available for license so that an end customer can integrate the technology directly into their own hardware applications. The accelerator cards and IP Cores designed and built by VoltedFlow will initially bring their benefits to university and pharmaceutical researchers. However, as the industry develops, the VoltedFlow philosophy of accessibility and increasingly low cost are intended to enable widespread deployment throughout the clinical environment. 4
VoltedFlow believes that this approach is in step with the industry as more developments arise that make the clinical usage of genomics both medically and financially viable for end users such as hospitals. Introducing the technology into the clinical environment brings with it the responsibility to assure safe operation for the intended application. This paper describes the approach VoltedFlow proposes in order to meet these new and challenging demands through the medical certification process. 5
2 Regulation The use of medical devices in the clinical environment is regulated by law. In order that a device can be used for medical purposes it must be certified. Certification protects patients and users by ensuring that medical devices are safe and of sufficient quality for the intended application. Certification is overseen by a national agency, or notified body, that provides authorization for a manufacturer to sell a device. In the European Union, medical devices are regulated by the EU directives: 93/42/EEC Medical Devices Directive 98/79/EC In Vitro Diagnostic Medical Devices Directive In the US, the Food and Drug Administration (FDA) controls device approvals and clearances through: 510(k) premarketing submission and premarket approvals (PMA) 2.1 Medical Devices Certification is required for all equipment that is classified as a Medical Device. 93/42/EEC defines a 'medical device' as... any instrument, apparatus, appliance, material or other article, whether used alone or in combination, including the software necessary for its proper application, intended by the manufacturer to be used for human beings for the purpose of: diagnosis, prevention, monitoring, treatment or alleviation of disease diagnosis, monitoring, treatment, alleviation or compensation for an injury or handicap, investigation, replacement or modification of the anatomy or of a physiological process, control of conception, and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means. A subset of medical devices, which are regulated separately, are "Active Implantable Medical Devices" and "In Vitro Diagnostic Medical Devices" (IVD). 98/79/EC defines an 'In Vitro Diagnostic Medical Device' as... any medical device which is a reagent, reagent product, calibrator, control material, kit, instrument, apparatus, equipment, or system, whether used alone or in combination, intended by the manufacturer to be used in vitro for the examination of specimens, including blood and tissue donations, derived from the human body, solely or principally for the purpose of providing information: concerning a physiological or pathological state, or concerning a congenital abnormality, or to determine the safety and compatibility with potential recipients, or to monitor therapeutic measures. Specimen receptacles are considered to be in vitro diagnostic medical devices. 6
Medical devices include a wide range of products for clinical use, and include items which achieve their action by direct contact with the human body, for example a defibrillator, whereas IVD medical devices are typically laboratory equipment used to test samples from the body without necessarily coming into direct contact with the patient. It is clear from the regulations above, that VoltedFlow s products would be classified as medical devices, or IVD medical devices, when used for genetic analysis supporting diagnosis or treatment of a patient. It is likely in practice, that the products would be embedded within a larger system, such as an analysis workstation, or DNA sequencer. As such, it is assumed for the foreseeable future that VoltedFlow's products will form part of an IVD device. Future advancements in technology may bring the opportunity for other applications such as implantable diagnostic devices, however they are not considered further in this paper. Although VoltedFlow's products will not be in contact with the patient and do not pose any direct risk to the patient's safety, a risk arises from processing data incorrectly. The accelerator card and algorithms should be developed with sufficient quality such that they can be relied upon for accurate diagnosis. In the future, treatments are increasingly likely to be based on a patient's genetic information and erroneous data provided by the system could result in an incorrect diagnosis or failure to provide vital treatment with potentially serious consequences for the patient's health. For example, children born at risk of hereditary childhood cancers such as retinoblastoma are regularly screened for signs of cancer developing. Early diagnosis and treatment are essential for a positive outcome. If genetic testing is used to show a child has not inherited the cancer-causing gene then outpatient screening would not be necessary thus benefiting the child, the child's family and the health service. However, in this case, it is imperative that the genetic result is accurate, to avoid risking the child's life. 7
3 Applicable Standards The principal method for a manufacturer to demonstrate to the certification authority that a product has been developed with adequate consideration for safety and quality, is to show compliance to the applicable medical standards and thereby to the regulatory requirements. Figure 1 provides an overview of the medical standards applicable to VoltedFlow s products that are necessary to meet EU regulations. Compliance with the FDA's regulations can be achieved through the use of the same harmonized international standards, as shown in Figure 2. EU DirecOve 98/79/EC In Vitro DiagnosOc Medical Devices ISO 13485 Quality Management ISO 14971 Risk Management (Safety) DO- 254 FPGA Development IEC 61010-1 Electrical Equipment IEC 62304 So]ware Development Life Cycle IEC 61010-1 & 61326 Electrical Equipment & EMC IEC 61326 ElectromagneOc CompaObility IEC 62366 Usability (Ergonomics) Customer Requirements IP Core Accelerator Card Software Integrated System Figure 1: Applicable standards - EU ISO 13485 a standard for a quality management system specific to the medical industry. It should be applied at the organizational level. ISO 14971 a standard for a risk management system for medical devices. It is used to ensure safety is adequately considered in the design, manufacture and use of a device. It applies to the product, that is, a system, including hardware and software. 8
IEC 61010-1 - a standard of general safety requirements for electrical equipment intended for professional, industrial and educational use. The standard specifically covers laboratory and IVD medical devices. It references IEC 61326 for electromagnetic compatibility requirements. IEC 62366 a specific standard for the usability of medical devices. It covers the ergonomic requirements of the system to ensure the equipment can be operated safely. As such, it has aspects that apply to the system, hardware and software. IEC 62304 a specific standard for the development of software for medical devices. It establishes a framework for a lifecycle process to ensure medical device software is safe and effective. IEC 62304 assumes a foundation of ISO 13485 & 14971 to create a managed environment in which to develop software. RTCA/DO-254 an aerospace standard specific to the development of complex hardware devices, including FPGAs (also referred to as DO-254 herein). It is not a medical standard, but its selection and applicability to VoltedFlow s product line is discussed further in section 5. FDA 510(k) & PMA Medical Devices ISO 13485 Quality Management ISO 14971 Risk Management (Safety) DO- 254 FPGA Development IEC 61010-1 Electrical Equipment IEC 62304 So]ware Development Life Cycle IEC 61010-1 & 61326 Electrical Equipment & EMC IEC 61326 ElectromagneOc CompaObility IEC 62366 Usability (Ergonomics) Customer Requirements IP Core Accelerator Card Software Integrated System Figure 2: Applicable Standards - US 9
Full compliance with the above standards will allow VoltedFlow to apply to the Notified Body for approval to market products as medical devices. It is a strategic goal of VoltedFlow to be able to sell medical device components and CE marked medical devices for clinical use. It is intended to build competence incrementally, in order to establish a permanent capability in this field. Initially VoltedFlow will focus on developing its core technologies in accordance with the recognized standards: IEC 62304 - Software will be developed in accordance with IEC 62304. This applies to the accelerator card drivers and pre-built software packages. RTCA/DO-254 FPGA microcode will be developed in accordance with DO-254. This applies to the FPGA on the accelerator card and VHDL provided as IP cores. IEC 61010-1 - Hardware will be developed to allow compliance with IEC 61010-1; it is assumed for the immediate future that the accelerator card will form part of an IVD device, rather than a medical device. The relevant aspects of ISO 13485 and ISO 14971 will be applied as required by the above standards. In addition, development will be augmented by a robust systems engineering process. 10
4 Software Development IEC 62304 VoltedFlow will conduct software development in accordance with IEC 62304. This is a rigorous standard specifically for medical device software and is suitable for application up to the highest levels of risk, where device hazards include injury or death. It is a harmonized standard with the benefit that it can be used to demonstrate compliance with the EU Directives and US FDA regulations. In VoltedFlow's current product line, software development applies the accelerator card drivers and the pre-built software packages. It does not apply to the accelerator card algorithms and functionality which are developed in VHDL and are discussed in section 5. 4.1 Classification In accordance with IEC 62304, the level of rigor that is applied to a software development process depends on the risk posed by the device. The risk is assessed from a system level perspective in accordance with ISO 14971. Based on the risk assessment, a safety classification is allocated to the software, or components of the software. IEC 62304 defines three software safety classes, as shown below in Table 1. Class A requires the least difficult development process, class C demands the most rigor. Software Class Class A Class B Class C Risk No injury or damage to health is possible Non-serious injury is possible Death or serious injury is possible Table 1: Software Safety Classifications Accurate classification can only be undertaken with the knowledge of the intended function of the medical device and the associated risks to end users and patients. As, initially, VoltedFlow's products are likely to be embedded within the context of a larger system, the classification may vary based on usage. Typically, IVD devices are class A or B as they are not in contact with the patient and do not pose a direct risk. However, as discussed in section 2.1, it must be considered that the information produced by an IVD device may be used in support of decisions about treatment. The risk, and therefore classification, depends on two factors; the reliance the operator has on the information and the resulting hazard associated with treatment. Erroneous device operation could lead to a failure to provide treatment, or the provision of needless, or incorrect treatment. Depending on the treatment, this could have serious consequences for the patient s health. Where there are external means to verify the result, for example by physical examination of the patient, the classification may be lower. Conversely, where the operator has to trust the result from the system and it is the only factor used in diagnosis (as could be the case with many genetic conditions) the classification may 11
be higher. In the future, if treatments are provided preemptively based solely on a patient's genetic information, the reliability the results from DNA analysis will have to be assured. It is assumed that VoltedFlow's products will typically need to reach class B, with the potential to go to class C. Each application will of course require assessment on a case by case basis. VoltedFlow will incrementally build the capability to develop software to increasing safety classes. With the technical team's extensive experience in safety critical development, VoltedFlow are currently developing software using good system engineering practice which, in the majority of aspects, already exceeds the requirements of class A and approaches class B. Initially, therefore, VoltedFlow will establish a process that is shown to be compliant for class A, but it is intended to rapidly achieve a process that fully supports class B. Sufficient consideration will be given to the requirements of the higher classes to enable the timely extension of the process with minimum effort. Ultimately, VoltedFlow intends to achieve the capability to produce medical device software up to the highest level of class C. 12
5 FPGA Development RTCA/DO-254 VoltedFlow will develop FPGA microcode using the aerospace standard RTCA/DO-254 for guidance. VoltedFlow have elected to follow this standard as there is presently no specific medical standard for the development of FPGA microcode. As discussed in section 4, IEC 62304 is specifically targeted at software development. Development of FPGA microcode in VHDL requires different considerations for the lifecycle process, as it is a hardware-based implementation. VoltedFlow have analysed the requirements of IEC 62304 and do not believe that best practice FPGA development can be achieved by constricting the process within a software framework. As the FPGA represents a core technology for VoltedFlow, it is important to be able to develop to a recognized quality standard, and one which is consistent with the regulatory intent; to ensure the device is safe and performs correctly. The emergence of VHDL in safety critical applications and the recognition that this requires a specific lifecycle process, has been relatively recent, certainly when compared to software development which has an established maturity. Although there is no medical standard, standards in other sectors have recently started to address FPGA development, examples include ISO 26262 (automotive electronics), IEC 62061 (industrial controls) and IEC 62566 (nuclear power plant instrumentation). These are often based on the parent standard IEC 61508 (industrial functional safety), which was updated in 2010 to include considerations for FPGA development. RTCA/DO-254, however, is the most established standard, having first been published in 2000, and when applied at its highest level is extremely rigorous, suitable for use in safety critical applications. VoltedFlow's technical team has substantial aerospace experience and has worked extensively with the standard. The development of standards in other sectors has drawn substantially from DO-254 and it is anticipated that any forthcoming medical standard would do likewise. The requirements of the equivalent aerospace software standard, RTCA/DO-178, exceed those of the medical software standard IEC 62304. Therefore, VoltedFlow consider processes established using DO-254 as a basis are suitable for medical applications and have a high likelihood of compliance to any future medical standard. 5.1 Classification DO-254 defines five design assurance levels (DAL), which equate to the levels of rigor that should be applied to the development of complex hardware. The DAL are assigned based on the hazard severity associated with malfunctions of the device, or components of the device. The hazard severities are identified by a safety assessment. This is the same principle used by IEC 62304 to classify software based on risk. Table 2 shows the DAL classifications defined by DO-254, summarized for the medical context. 13
DAL DAL E DAL D DAL C DAL B DAL A Hazard Severity No Safety Effect, DO-254 not required Minor: Physical discomfort Major: Passenger physical distress, or possible injury Hazardous: Passenger serious injury or death Catastrophic: (Loss of aeroplane), multiple deaths Table 2: DO-254 Design Assurance Levels In order to apply DO-254 in a medical context, VoltedFlow will establish the equivalence of the classifications in the DO-254 and IEC 62304 processes. While it could be postulated that the highest level software safety classification, Class C (risk of serious injury or death), is equivalent to DAL B (risk of serious injury of death), these definitions cannot be equated as they originate from different industries and certification authorities. A more rigorous approach comparing each of the lifecycle process objectives is therefore necessary. This will ensure that all regulatory requirements are adequately considered. The approach proposed by VoltedFlow is to benchmark DO-178B against IEC 62304 for each class. DO-178B is the aerospace standard equivalent to DO-254, but for software development. The DALs for DO-178B and DO-254 are consistent, and establishing the equivalence between the two software standards will therefore allow the appropriate classification to be established for DO-254, as shown in Figure 3. Comparing the two software standards, rather than examining DO-254 directly against IEC 62304, will ensure a like-for-like comparison between all process objectives. = Figure 3: Mapping classifications A preliminary analysis suggests that the requirements of IEC 62304 class C lie between DAL C and DAL B. As described for software, VoltedFlow will use an ISO 14971 compatible risk assessment process to identify the hazards posed by the system and use the mapping above to allocate an appropriate DAL for the development of the FPGA components. 14
6 Hardware Development IEC 61010 There are two main aspects of regulation that relate to VoltedFlow hardware electrical safety and electromagnetic compatibility. The standards used to meet these requirements may differ from country to country, although it may be shown that there is sufficient commonality in the testing procedures that the results can be applied in multiple regions. For example the Electromagnetic Compatibility requirements to allow use of the CE Mark may be carried out through EN 55022:2010, which is understood to have equivalence to the preferred standard in Australia, CISPR 22, and can therefore be used to show compliance with the Australian CTICK standard. However for convenience we will discuss the European standards as an example of compliance. 6.1 Electrical Safety For electrical safety, IEC 60601-1 covers medical devices regulated by 93/42/EEC. However, as discussed in section 2.1, it is assumed that the accelerator card will form part of an IVD device and therefore this more stringent standard is not required. As a very low voltage component for research and development purposes the accelerator card hardware is not required to be covered by EU directive 2006/95/EC to enable it to meet the requirements for CE marking, although the current accelerator card is developed to meet the hazards outlined in IEC 60950 as good engineering practice. As a clinical device the same approach could in theory be taken. However due to the fact that any component that VoltedFlow produces in this setting would be enclosed within an IVD environment it is thought more sensible to ensure compliance is straightforward for the system equipment integrator. Therefore future accelerator cards will be developed to the laboratory and industrial standards defined in IEC 61010, as this standard defines safety requirements specifically for laboratory and IVD medical devices. 6.2 Electromagnetic Compatibility Through EU directive 2004/108/EEC, it is required that the accelerator card meet all applicable standards for electromagnetic compatibility, as defined in the EU list of harmonized standards. The relevant harmonized standards were found to be EN 55022:2010 and EN 55024:2010 for information technology equipment. These standards will be used to show compliance for initial research and development products. However, as IEC 61010 utilises IEC/EN 61326 for electromagnetic compatibility requirements of laboratory equipment, and this will be used in the future as a progression. 15
7 Capability Roadmap The design and certification of medical devices for clinical use requires technical competence beyond that needed for the development of the device itself. Thorough knowledge of the regulatory requirements and robust organizational processes are equally important. VoltedFlow believes that the intent to sell medical devices needs to be firmly embedded into the organization from the outset. This directive will ensure adequate consideration is given to the regulations both for the design of the product and in the implementation of compliant processes. The technical team has extensive experience of working within the strict regulatory frameworks of the aerospace industry. Nevertheless, VoltedFlow's capability should be built progressively to allow it to be thoroughly and permanently established - ultimately representing best practice in the field. Initially, VoltedFlow will focus on developing core technologies in accordance with the recognized standards for hardware and software, as discussed in sections 4, 5 and 6. VoltedFlow will exploit the tiered development assurance levels provisioned by these standards to voluntarily implement increasingly robust and rigorous processes, as shown in Figure 4. This is possible because products will initially be provided for the research market, which do not require medical certification. It is anticipated that VoltedFlow's initial entry into the clinical market will be as a supplier to a manufacturer of IVD devices, where the technology will be integrated within a larger system. Development of processes to recognized standards, in parallel with development of the product, will ensure that VoltedFlow's products are certifiable as soon as the clinical market is achieved. System Engineering DO- 254 FPGA IEC 62304 So]ware DAL D DAL C DAL B Class A Class B Class C Quality System ISO 13485 98/79/EC Figure 4: Capability Roadmap 16
VoltedFlow is already working with good engineering practice that exceeds the requirements of DAL D and Class A in many areas. Initially, therefore, processes will be established which meet these requirements. However, VoltedFlow intend to rapidly achieve a capability for DAL C and Class B. Ultimately, the highest levels of DAL B and Class C will be achieved, where necessitated by the risk assessment for the device. Technical processes for compliance with DO-254 and IEC 62304 will be supported by a robust system engineering process, which will include requirements management, verification, traceability and the relevant aspects of ISO 14971 for risk management. Document and configuration management will be supported by a state-of-the-art tool set. Organizational quality processes will be developed alongside the technical processes and ISO 13485 compliance will be achieved as the technical processes mature. The final goal, which will be achieved by full compliance with the above standards, is the ability for VoltedFlow to meet the regulatory requirements of 98/79/EC and sell CE marked medical devices/ivd components. 17
8 Disclaimer VoltedFlow GmbH is the owner and licensee of this design, code, or information (collectively the Information ) and is provided AS IS with no warranty of any kind, express, or implied, and shall have no liability in relation to its use. VoltedFlow GmbH makes no representation that the Information, or any particular implementation thereof, is or will be free from any claims of infringement and again, shall have no liability in relation to any such claims. Copyright 2012, VoltedFlow GmbH. All right reserved. Company and product names mentioned in this document are the trademarks or registered trademarks of their respective owners. Where those designations appear in this document, and VoltedFlow was aware of a trademark claim, the designations have been printed with initial capitals or in all capitals. 18