@neobiotechlabs/neobiotech-dev-agent 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (155) hide show
  1. package/.claude-plugin/marketplace.json +22 -0
  2. package/.claude-plugin/plugin.json +58 -0
  3. package/.mcp.json +14 -0
  4. package/README.md +442 -0
  5. package/dist/__tests__/adf.test.d.ts +1 -0
  6. package/dist/__tests__/adf.test.js +68 -0
  7. package/dist/__tests__/adf.test.js.map +1 -0
  8. package/dist/__tests__/annex-ii-template.test.d.ts +1 -0
  9. package/dist/__tests__/annex-ii-template.test.js +39 -0
  10. package/dist/__tests__/annex-ii-template.test.js.map +1 -0
  11. package/dist/__tests__/doc-render.test.d.ts +1 -0
  12. package/dist/__tests__/doc-render.test.js +93 -0
  13. package/dist/__tests__/doc-render.test.js.map +1 -0
  14. package/dist/__tests__/help.test.d.ts +1 -0
  15. package/dist/__tests__/help.test.js +31 -0
  16. package/dist/__tests__/help.test.js.map +1 -0
  17. package/dist/__tests__/jira-fields.test.d.ts +1 -0
  18. package/dist/__tests__/jira-fields.test.js +81 -0
  19. package/dist/__tests__/jira-fields.test.js.map +1 -0
  20. package/dist/__tests__/plugin-manifest.test.d.ts +1 -0
  21. package/dist/__tests__/plugin-manifest.test.js +91 -0
  22. package/dist/__tests__/plugin-manifest.test.js.map +1 -0
  23. package/dist/__tests__/setup.test.d.ts +1 -0
  24. package/dist/__tests__/setup.test.js +7 -0
  25. package/dist/__tests__/setup.test.js.map +1 -0
  26. package/dist/__tests__/sync-version.test.d.ts +1 -0
  27. package/dist/__tests__/sync-version.test.js +37 -0
  28. package/dist/__tests__/sync-version.test.js.map +1 -0
  29. package/dist/clients/risk-client.d.ts +17 -0
  30. package/dist/clients/risk-client.js +54 -0
  31. package/dist/clients/risk-client.js.map +1 -0
  32. package/dist/clients/xray-client.d.ts +34 -0
  33. package/dist/clients/xray-client.js +127 -0
  34. package/dist/clients/xray-client.js.map +1 -0
  35. package/dist/config/project-config.d.ts +14 -0
  36. package/dist/config/project-config.js +45 -0
  37. package/dist/config/project-config.js.map +1 -0
  38. package/dist/confluence-client.d.ts +16 -0
  39. package/dist/confluence-client.js +97 -0
  40. package/dist/confluence-client.js.map +1 -0
  41. package/dist/index.d.ts +2 -0
  42. package/dist/index.js +60 -0
  43. package/dist/index.js.map +1 -0
  44. package/dist/jira-client.d.ts +35 -0
  45. package/dist/jira-client.js +119 -0
  46. package/dist/jira-client.js.map +1 -0
  47. package/dist/tools/annex-ii-template.d.ts +30 -0
  48. package/dist/tools/annex-ii-template.js +129 -0
  49. package/dist/tools/annex-ii-template.js.map +1 -0
  50. package/dist/tools/confluence.d.ts +2 -0
  51. package/dist/tools/confluence.js +54 -0
  52. package/dist/tools/confluence.js.map +1 -0
  53. package/dist/tools/cvss.d.ts +2 -0
  54. package/dist/tools/cvss.js +59 -0
  55. package/dist/tools/cvss.js.map +1 -0
  56. package/dist/tools/doc-render.d.ts +2 -0
  57. package/dist/tools/doc-render.js +96 -0
  58. package/dist/tools/doc-render.js.map +1 -0
  59. package/dist/tools/doc-validation.d.ts +2 -0
  60. package/dist/tools/doc-validation.js +221 -0
  61. package/dist/tools/doc-validation.js.map +1 -0
  62. package/dist/tools/help-data.d.ts +7 -0
  63. package/dist/tools/help-data.js +144 -0
  64. package/dist/tools/help-data.js.map +1 -0
  65. package/dist/tools/help.d.ts +2 -0
  66. package/dist/tools/help.js +39 -0
  67. package/dist/tools/help.js.map +1 -0
  68. package/dist/tools/iec.d.ts +2 -0
  69. package/dist/tools/iec.js +203 -0
  70. package/dist/tools/iec.js.map +1 -0
  71. package/dist/tools/init.d.ts +2 -0
  72. package/dist/tools/init.js +38 -0
  73. package/dist/tools/init.js.map +1 -0
  74. package/dist/tools/jira-crud.d.ts +2 -0
  75. package/dist/tools/jira-crud.js +142 -0
  76. package/dist/tools/jira-crud.js.map +1 -0
  77. package/dist/tools/risk.d.ts +2 -0
  78. package/dist/tools/risk.js +172 -0
  79. package/dist/tools/risk.js.map +1 -0
  80. package/dist/tools/traceability.d.ts +2 -0
  81. package/dist/tools/traceability.js +85 -0
  82. package/dist/tools/traceability.js.map +1 -0
  83. package/dist/tools/types.d.ts +13 -0
  84. package/dist/tools/types.js +2 -0
  85. package/dist/tools/types.js.map +1 -0
  86. package/dist/tools/usability.d.ts +2 -0
  87. package/dist/tools/usability.js +149 -0
  88. package/dist/tools/usability.js.map +1 -0
  89. package/dist/tools/xray.d.ts +2 -0
  90. package/dist/tools/xray.js +35 -0
  91. package/dist/tools/xray.js.map +1 -0
  92. package/dist/utils/adf.d.ts +27 -0
  93. package/dist/utils/adf.js +104 -0
  94. package/dist/utils/adf.js.map +1 -0
  95. package/dist/utils/cvss.d.ts +15 -0
  96. package/dist/utils/cvss.js +86 -0
  97. package/dist/utils/cvss.js.map +1 -0
  98. package/dist/utils/doc-render.d.ts +28 -0
  99. package/dist/utils/doc-render.js +50 -0
  100. package/dist/utils/doc-render.js.map +1 -0
  101. package/dist/utils/jira-fields.d.ts +38 -0
  102. package/dist/utils/jira-fields.js +53 -0
  103. package/dist/utils/jira-fields.js.map +1 -0
  104. package/dist/utils/sync-version.d.ts +2 -0
  105. package/dist/utils/sync-version.js +20 -0
  106. package/dist/utils/sync-version.js.map +1 -0
  107. package/package.json +49 -0
  108. package/skills/doc-render/SKILL.md +79 -0
  109. package/vendor/dev-docs-templates/templates/dev_docs/plan_template.md +104 -0
  110. package/vendor/dev-docs-templates/templates/dev_docs/prd_template.md +110 -0
  111. package/vendor/dev-docs-templates/templates/dev_docs/spec_template.md +81 -0
  112. package/vendor/dev-docs-templates/templates/dev_docs/tasks_template.md +122 -0
  113. package/vendor/dev-docs-templates/templates/mdr_docs/CA/checklist-clinical-evaluation.md +81 -0
  114. package/vendor/dev-docs-templates/templates/mdr_docs/CA/checklist-gspr-mdr.md +403 -0
  115. package/vendor/dev-docs-templates/templates/mdr_docs/CA/clinical-evaluation-report.md +492 -0
  116. package/vendor/dev-docs-templates/templates/mdr_docs/CA/instructions-for-use.md +132 -0
  117. package/vendor/dev-docs-templates/templates/mdr_docs/CA/literature-evaluation-table.md +15 -0
  118. package/vendor/dev-docs-templates/templates/mdr_docs/CA/mdr-declaration-of-conformity.md +75 -0
  119. package/vendor/dev-docs-templates/templates/mdr_docs/CA/post-market-clinical-follow-up-plan.md +162 -0
  120. package/vendor/dev-docs-templates/templates/mdr_docs/CA/post-market-surveillance-plan.md +175 -0
  121. package/vendor/dev-docs-templates/templates/mdr_docs/CA/risk-management-cybersecurity-checklist.md +67 -0
  122. package/vendor/dev-docs-templates/templates/mdr_docs/CA/risk-management-report.md +111 -0
  123. package/vendor/dev-docs-templates/templates/mdr_docs/CA/usability-evaluation-report.md +70 -0
  124. package/vendor/dev-docs-templates/templates/mdr_docs/EA/clinical-evaluation-plan.md +154 -0
  125. package/vendor/dev-docs-templates/templates/mdr_docs/EA/list-of-hazard-related-use-scenarios.md +34 -0
  126. package/vendor/dev-docs-templates/templates/mdr_docs/EA/risk-table-fmea.md +155 -0
  127. package/vendor/dev-docs-templates/templates/mdr_docs/EA/software-architecture-description.md +307 -0
  128. package/vendor/dev-docs-templates/templates/mdr_docs/EA/software-requirements-list.md +156 -0
  129. package/vendor/dev-docs-templates/templates/mdr_docs/EA/soup-list.md +82 -0
  130. package/vendor/dev-docs-templates/templates/mdr_docs/EA/usability-evaluation-plan.md +103 -0
  131. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/bug-fixes-documentation-list.md +35 -0
  132. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/change-evaluation-list.md +100 -0
  133. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/list-of-known-anomalies.md +29 -0
  134. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/algorithm-validation-report.md +170 -0
  135. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/checklist-software-release.md +52 -0
  136. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/checklist-software-requirements-review.md +50 -0
  137. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-architecture-checklist.md +41 -0
  138. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-detailed-design.md +321 -0
  139. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-system-test-plan.md +155 -0
  140. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/usability-evaluation-protocol.md +63 -0
  141. package/vendor/dev-docs-templates/templates/mdr_docs/PA/intended-use.md +116 -0
  142. package/vendor/dev-docs-templates/templates/mdr_docs/PA/mdr-classification-document.md +114 -0
  143. package/vendor/dev-docs-templates/templates/mdr_docs/PA/risk-management-plan.md +198 -0
  144. package/vendor/dev-docs-templates/templates/mdr_docs/PA/software-development-maintenance-plan.md +225 -0
  145. package/vendor/dev-docs-templates/templates/mdr_docs/PA/system-requirements-spec.md +182 -0
  146. package/vendor/dev-docs-templates/templates/mdr_docs/global/information_security/information-security-controls.md +966 -0
  147. package/vendor/dev-docs-templates/templates/mdr_docs/global/information_security/information-security-policy-and-scope.md +99 -0
  148. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/quality-manual-policy-objectives.md +187 -0
  149. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-capa.md +112 -0
  150. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-change-management.md +128 -0
  151. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-clinical-evaluation.md +102 -0
  152. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-feedback-management.md +140 -0
  153. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-integrated-software-development.md +361 -0
  154. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-post-market-surveillance.md +159 -0
  155. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-software-problem-resolution.md +99 -0
@@ -0,0 +1,75 @@
1
+ # EC Declaration of Conformity
2
+
3
+ ## Manufacturer
4
+
5
+ **\<Company Name\>**
6
+
7
+ *\<Company Address\>*
8
+
9
+ ## Medical Device
10
+
11
+ **\<Name of Device\>**
12
+
13
+ *\<Version of Device\>*
14
+
15
+ *\<Basic UDI-DI, if applicable>*
16
+
17
+ ## Classification
18
+
19
+ **Medical Device Class: \<enter class\>**
20
+
21
+ Classification based on \<enter MDR reference, for example: Annex VIII, Chapter 3, Paragraph 6, Rule 11 (for
22
+ software devices)\>.
23
+
24
+ > For context, read Art. 51 MDR, Section 1. You can find the classification rule applicable to your
25
+ > medical device set out in Annexes VIII of the MDR.
26
+ >
27
+ > For example: software intended to provide information used to take decisions with diagnosis or therapeutic
28
+ > purposes and software intended to monitor physiological processes is classified as class IIa according to
29
+ > rule 11 of the Annex.
30
+
31
+ ## Conformity Assessment
32
+
33
+ Conformity assessment procedure: *\<enter reference to applicable Annex, for example for class I: Annex II and
34
+ III\>* of the Regulation (EU) 2017/745.
35
+
36
+ > For context, read Art. 52 MDR, Section 2. You can find the conformity assessment procedures
37
+ > applicable to your medical device class set out in Annexes IX to XI of the MDR:
38
+ >
39
+ > * For class III devices (other than custom-made or investigational devices) -> Annex IX. Alternatively:
40
+ > Annex X + XI
41
+ > * For class IIb devices (other than custom-made or investigational devices) -> Chapters I and III of Annex
42
+ > IX, incl. TechDoc assessment according to Para. 4 of Annex IX for at least one representative device of a
43
+ > generic device group. For class IIb implant devices, Annex IX applies to every device. Alternatively,
44
+ > manufacturers may choose type examination following Annex X in combination with Annex XI.
45
+ > * For class IIa devices (other than custom-made or investigational devices) -> Chapters I and III of Annex
46
+ > IX, incl. TechDoc assessment according to Para. 4 of Annex IX for at least one representative device for
47
+ > each category of devices.
48
+ > * For class I devices (other than custom-made or investigational devices) -> draw up technical documentation
49
+ > according to Annexes II and III.
50
+ > * For class I devices in sterile condition, including a measuring function or constituting reusable surgical
51
+ > instruments -> apply the procedures set out in Chapters I and III of Annex IX, or in Part A of Annex XI.
52
+
53
+ The Medical Device referenced above meets the provisions of Regulation (EU) 2017/45 on medical devices.
54
+
55
+ > Note #1: This document needs to be signed in some way. If you're using software which supports electronic
56
+ > signatures, use it to sign this document. Otherwise, print it out, sign it old-school, scan it and upload it
57
+ > to your QMS folder.
58
+ >
59
+ > Note #2: read Annex IV MDR to double-check if all relevant information is included! For example, if
60
+ > applicable, include product / trade name, Notified Body information, etc.
61
+
62
+ ---
63
+
64
+ Place, Date, Signature of CEO
65
+
66
+ ---
67
+
68
+ Place, Date, Signature of PRRC
69
+
70
+ ---
71
+
72
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
73
+ license](https://openregulatory.com/template-license).
74
+
75
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,162 @@
1
+ # Post-Market Clinical Follow-Up Plan (PMCFP)
2
+
3
+ This document is used to plan all post-market clinical follow-up activities for the \<name of the medical
4
+ device].
5
+
6
+ ## Product information
7
+
8
+ | Parameter | Description |
9
+ |------------------------|-------------|
10
+ | Product or trade name: | |
11
+ | Model and type: | |
12
+ | Intended purpose: | |
13
+
14
+ ## Context
15
+
16
+ > Check out this guidance document which may further help you to fill out the template: MDCG 2020-7
17
+ > Post-market clinical follow-up (PMCF) Plan Template: A guide for manufacturers and notified bodies
18
+
19
+ The post-market clinical follow-up plan is compiled along with concluding the clinical evaluation and is based
20
+ on the clinical evaluation report. Following Annex XIV MDR, it specifies the methods used to collect and
21
+ evaluate clinical data with the aim of:
22
+
23
+ * confirming the safety and performance of the device throughout its product life cycle,
24
+ * identifying previously unknown side-effects and monitoring the identified side-effects and contraindications,
25
+ * identifying and analyzing emergent risks on the basis of factual evidence,
26
+ * ensuring the continued acceptability of the benefit-risk ratio referred to in sections 1 and 9 of annex I
27
+ MDR, and
28
+ * identifying possible systematic misuse or off-label use of the device, with a view to verifying that the
29
+ intended purpose is correct.
30
+
31
+ ## 1. Activities related to PMCF: general and specific methods and procedures
32
+
33
+ > This section outlines post-market activities for PMCF, detailing general and specific methods/procedures
34
+ > related to the product's scope. It also covers the purpose of each activity, the rationale behind chosen
35
+ > methods, and anticipated limitations. Activity timelines are to be defined quarterly or yearly.
36
+ >
37
+ > Examples of PMCF activities include:
38
+ >
39
+ > 1. **Manufacturer Device Registry:** Specific to the device type or medical device group, include a brief
40
+ > plan description, specifying quality and quantity data based on device risk.
41
+ > 2. **PMCF Studies:** Details study plans, encompassing design, sample size, endpoints, and
42
+ > inclusion/exclusion criteria.
43
+ > 3. **Surveys:** Describes planned surveys for collecting information on the use of the medical device.
44
+ >
45
+ > The overarching aim is to streamline post-market activities, ensuring comprehensive data collection,
46
+ > analysis, and validation.
47
+
48
+ ### 1.1 General methods and procedures
49
+
50
+ > According to the MDR, Annex XIV, 6.2 The PMCF plan shall include at least:
51
+ >
52
+ > (a) the general methods and procedures of the PMCF to be applied, such as gathering of clinical experience
53
+ > gained, feedback from users, screening of scientific literature and of other sources of clinical data;
54
+ >
55
+ > Below are two examples provided:
56
+
57
+ | Method 1 | \<Literature Review\> |
58
+ |--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
59
+ | Description: | \<Literature search as defined in the search protocol of the CER\> |
60
+ | Search period: | \<Beginning from last update of CER until Month/Year\> |
61
+ | Objective: | \<Confirming the findings of the initial Clinical Evaluation Report and identifying new potential benefits and risks\> |
62
+ | Search Strategy: | \<Copy paste your search strategy from the CER here\> |
63
+ | Rationale and known limitations of the activity: | \<Address device risk, the novelty of the product and/or of the clinical procedure, the sufficiency of clinical data in the CER & the objective of this method\> |
64
+
65
+ | Method 2 | \<Feedback from users or patients\> |
66
+ |--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
67
+ | Description: | \<Describe the survey\> |
68
+ | Search period: | \<State the survey periode here\> |
69
+ | Objective: | \<Describe the objective of your survey\> |
70
+ | Additional information | \<Countries, sponsor, survey sides...\> |
71
+ | Rationale and known limitations of the activity: | \<Address device risk, the novelty of the product and/or of the clinical procedure, the sufficiency of clinical data in the CER & the objective of this method\> |
72
+
73
+ ### 1.2 Specific methods and procedures
74
+
75
+ > According to the MDR, Annex XIV, 6.2 The PMCF plan shall include at least:
76
+ > (b) the specific methods and procedures of PMCF to be applied, such as evaluation of suitable registers or PMCF studies;
77
+
78
+ | Method 3 | \<PMCF Study\> |
79
+ |--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
80
+ | Description: | \<Describe the study\> |
81
+ | Search period: | \<State the study periode here\> |
82
+ | Objective: | \<Describe the objective of your study\> |
83
+ | Additional information | \<Countries, sponsor, survey sides...\> |
84
+ | Rationale and known limitations of the activity: | \<Address device risk, the novelty of the product and/or of the clinical procedure, the sufficiency of clinical data in the CER & the objective of this method\> |
85
+
86
+ | Method 4 | \<Device registry\> |
87
+ |--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
88
+ | Description: | \<Database search as defined in the CER\> |
89
+ | Search period: | \<Beginning from last update of CER until Month/Year\> |
90
+ | Objective: | \<Confirming the findings of the initial Clinical Evaluation Report and identifying new potential benefits and risks\> |
91
+ | Search Strategy: | \<Copy paste your search strategy from the CER here\> |
92
+ | Rationale and known limitations of the activity: | \<Address device risk, the novelty of the product and/or of the clinical procedure, the sufficiency of clinical data in the CER & the objective of this method\> |
93
+
94
+ ## 2. Reference to the relevant parts of the technical documentation
95
+
96
+ > In this segment, the manufacturer must incorporate citations to pertinent details from both the clinical
97
+ > evaluation report and the risk management file. These references are subject to analysis, follow-up, and
98
+ > assessment within this plan. Alternatively, the manufacturer must explicitly declare if there is no relevant
99
+ > information from the clinical evaluation report and/or the risk management file that requires consideration
100
+ > in this plan.
101
+
102
+ ### 2.1 Clinical Evaluation Report (date and **version)**
103
+
104
+ ###### Relevant information to be further analysed and monitored:
105
+
106
+ * \<Describe what needs to be analysed\>
107
+
108
+ > Example: The clinical data gathered and evaluated as a result of this PMCF plan will be used to update and
109
+ > verify the chapters 11.6 (literature summary and conclusion), 12 (clinical experience data), 13
110
+ > (risk-benefit assessment) and the conclusion of the CER. The literature will furthermore be searched for
111
+ > similar devices with a focus on associated risks and the state of the art.
112
+
113
+ * No relevant information from the clinical evaluation report to be considered in this plan
114
+
115
+ ### 2.2 Risk Management File (date and version)
116
+
117
+ ###### Relevant information to be further analysed and monitored:
118
+
119
+ * \<Describe what needs to be analysed\>
120
+
121
+ > Example: Clinical data will be used to ensure the ongoing appropriateness of identified hazards, hazardous
122
+ > situations, harms, their frequency and severity estimations in the risk assessment & risk
123
+ > control. Furthermore, the data including information on similar devices shall be evaluated to identify
124
+ > potential emerging risks in the risk assessment & risk control.
125
+
126
+ * No relevant information from the risk management file to be considered in this plan
127
+
128
+ ## 3. Evaluation of clinical data relating to equivalent or similar devices
129
+
130
+ > In this section, the manufacturer is required to compile information on equivalent or similar devices, the
131
+ > clinical data of which will be subsequently assessed and presented in the PMCF report. It is important to
132
+ > highlight that PMCF data, aimed at demonstrating ongoing safety and performance, should primarily originate
133
+ > from the specific device under evaluation. While data from equivalent or similar devices may be utilized—for
134
+ > instance, to update information on the state of the art or to identify and further evaluate relevant safety
135
+ > outcomes—the selected devices must remain consistent throughout the technical documentation. It is essential
136
+ > to specify whether the chosen device is confirmed to be equivalent or is categorized as a similar
137
+ > device. Each listed device should include a clear reference to the relevant sections of the Clinical
138
+ > Evaluation Report (CER).
139
+
140
+ The following equivalent or similar devices have been chosen and the clinical data will subsequently assessed:
141
+
142
+ | Parameter | Equivalent / similar device 1 | Equivalent / similar device 2 |
143
+ |-------------------------------------------------------------------------------------------|-------------------------------|-------------------------------|
144
+ | Product name of equivalent / similar device | | |
145
+ | Intended purpose | | |
146
+ | Intended users | | |
147
+ | Intended patient population | | |
148
+ | Medical condition | | |
149
+ | Indication | | |
150
+ | Reference to clinical data evaluation in the CER (date, version and location in the text) | | |
151
+
152
+ ## 4. PMCF evaluation report
153
+
154
+ The findings of the PMCF will be summarized in the PMCF Evaluation Report that is part of the clinical
155
+ evaluation report and the technical documentation.
156
+
157
+ ---
158
+
159
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
160
+ license](https://openregulatory.com/template-license).
161
+
162
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,175 @@
1
+ # Post-Market Surveillance Plan
2
+
3
+ This plan describes product-specific post-market surveillance activities. The general process of how to do
4
+ post-market surveillance is described in SOP Post-Market Surveillance. Its outputs are saved to the
5
+ Post-Market Surveillance Report or the Periodic Safety Update Report.
6
+
7
+ **Regulatory References:**
8
+
9
+ | | |
10
+ |------------------------------|----------------------------------|
11
+ | EU Regulation 2017/745 (MDR) | Art. 84 and Annex III, Para. 1.1 |
12
+
13
+ ## Product
14
+
15
+ | Product Name | Version | Surveillance Period |
16
+ |-------------------------|---------------|----------------------------|
17
+ | *\<your product name\>* | *\<version\>* | *\<e.g. 10/2020-10/2021\>* |
18
+
19
+ ## 1. General Considerations
20
+
21
+ > Note: Whatever kind of post-market surveillance activities you define for your product, make sure to map at
22
+ > minimum all of these actions required by the MDR to one activity in section 2 below.
23
+
24
+ According to Annex III section 1.1 (b) MDR, the post-market surveillance plan shall cover:
25
+
26
+ | MDR Requirement | Activity |
27
+ |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
28
+ | A proactive and systematic process to collect any information referred to in point (a). The process shall allow a correct characterization of the performance of the devices and shall also allow a comparison to be made between the device and similar products available on the market | SOP Post-Market Surveillance |
29
+ | Effective and appropriate methods and processes to assess the collected data; | SOP Post-Market Surveillance |
30
+ | Suitable indicators and threshold values that shall be used in the continuous reassessment of the benefit-risk analysis and of the risk management as referred to in Section 3 of Annex I; | PMS Plan - Trend Identification & Reporting |
31
+ | Effective and appropriate methods and tools to investigate complaints and analyze market-related experience collected in the field; | SOP Feedback Management |
32
+ | Methods and protocols to manage the events subject to the trend report as provided for in Article 88, including the methods and protocols to be used to establish any statistically significant increase in the frequency or severity of incidents as well as the observation period; | PMS Plan - Trend Identification & Reporting |
33
+ | Methods and protocols to communicate effectively with competent authorities, notified bodies, economic operators and users; | SOP Vigilance |
34
+ | Reference to procedures to fulfill the manufacturers obligations laid down in Articles 83, 84 and 86; | SOP Post-Market Surveillance |
35
+ | Systematic procedures to identify and initiate appropriate measures including corrective actions; | SOP CAPA |
36
+ | Effective tools to trace and identify devices for which corrective actions might be necessary; | SOP Product Certification and Registration |
37
+ | A PMCF plan as referred to in Part B of Annex XIV, or a justification as to why a PMCF is not applicable. | SOP Clinical Evaluation |
38
+
39
+ ## 2. Data Collection Activities
40
+
41
+ | PMS activity | Responsibility | When? | Documented in |
42
+ |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|------------|--------------------------------------------|
43
+ | Incident documentation and analysis of undesirable side effects | QMO | Annually | PMS Report / PSUR |
44
+ | Assess feedback (customer complaints, sales feedback) | Head of Product | Annually | PMS Report / PSUR |
45
+ | Check SOUP for new published issues | Head of Software Development | Biannually | PMS Report / PSUR |
46
+ | Research data about similar products in the market | QMO | Annually | PMS Report / PSUR |
47
+ | Conduct post-market clinical follow-up activities as planned | Head of Medical Team | Annually | PMCF Evaluation Report / CER |
48
+ | Research scientific publications | Head of Product | Annually | PMCF Evaluation Report / CER |
49
+ | Research updates of standards and legislation | QMO | Annually | PMS Report / PSUR |
50
+ | Analyze trends, decide on necessary measures and implement them | QMO | Annually | PMS Report / PSUR |
51
+ | Update risk management file | QMO | Annually | Risk Management Report / PMS Report / PSUR |
52
+ | Compile post-market clinical follow-up report | Head of Medical Team | Annually | PMCF Evaluation Report / CER |
53
+ | Compile Periodic Safety Update Report | Head of Product | Annually | PMCF Evaluation Report / CER |
54
+ | Upload PSUR to Eudamed database | QMO | Annually | N/A |
55
+ | Compile post-market surveillance plan and post-market clinical follow-up plan for next surveillance interval | QMO | Annually | PMS & PMCF Plan |
56
+ | Volume of sales, an estimate evaluation of the size and other characteristics of the population (such as profession) using the device and, where practicable, the usage frequency of the device, volume of sales by country | QMO | Annually | PMS Report / PSUR |
57
+
58
+ ## 3. Methods and Procedures
59
+
60
+ > Include mandatory data sources in the PMS plan for each product, with additional methods based on risk class
61
+ > and product type. Justify any non-applicability.
62
+
63
+ ### 3.1 Feedback
64
+
65
+ ### Serious Incidents and FSCA
66
+
67
+ The insert report type, e.g. PMS Report or PSUR will summarize the number of reported serious incidents, their
68
+ investigation results and any taken subsequent measures.
69
+
70
+ ### Non-serious Incidents and Expected Undesirable Side-Effects
71
+
72
+ The PMS Report or PSUR will summarize the evaluation results and conclusions, including any taken preventive
73
+ or corrective actions.
74
+
75
+ ### Proactively gathered Feedback
76
+
77
+ Proactively collect feedback from distributors, users, and importers, including inputs not considered in
78
+ previous sections. This encompasses feedback on usability, both positive and regarding issues, gathered
79
+ through client visits, conferences, and events. General market feedback will also be actively obtained during
80
+ client visits, conferences, fairs, and specified events. Specify objectives, acceptance criteria, and
81
+ responsible persons for these activities. The aim is to identify new risks, verify existing ones, and assess
82
+ benefits and use-related aspects of the medical device. Evaluate and summarize the gathered information. If
83
+ potential serious incidents arise, follow the SOP Vigilance. The PMS Report or PSURwill summarize the results.
84
+
85
+ ### 3.2 Trend Identification and Reporting
86
+
87
+ According to the MDR, Article 88 non-serious incidents and expected undesirable side-effects are subject to
88
+ trend analysis. Statistically significant increases in the frequency or severity will be reported. There are
89
+ three types of changes that can be indicated by a trend analysis:
90
+
91
+ * a sudden significant deviation like an outlier or spike, respectively;
92
+ * significant trends, i.e. repetitive deviations or continuous drifting away from the history of earlier
93
+ values;
94
+ * detection by visual inspection, whether the data are subject to cyclic effects, e.g. of calendar events like
95
+ summer holidays or end of budget periods.
96
+
97
+ All incidents deemed non-serious and anticipated undesirable side-effects will undergo meticulous
98
+ documentation and categorization, encompassing occurrences such as the arrival of a non-sterile device or a
99
+ software crash. This process is crucial for maintaining a standardized approach, ensuring comparability across
100
+ different incidents. To achieve this, normalization will be applied, factoring in the respective sales numbers
101
+ or the number of installed devices per month.
102
+
103
+ The data obtained will be graphically represented for each incident category, portraying the number of
104
+ normalized incidents against the corresponding month. This visualization serves to illuminate the temporal
105
+ progression of these incidents over time, facilitating a comprehensive understanding of trends and
106
+ patterns. Adhering to the guidelines outlined in ISO/TR 20416 for Medical Devices - PMS for manufacturers,
107
+ Rule 3 of the Nelson Rules will be employed to detect trends. A trend is detected, where six or more points in
108
+ a row exhibit a continuous upward trajectory. In addition, long term trends are detected by visual inspection
109
+ and review of the plotted incidents. If a trend is detected, a CAPA will be opened to investigate the
110
+ incidents.
111
+
112
+ ### 3.3. Databases and Registers
113
+
114
+ > Specify applicable literature databases, e.g. PubMed, Embase, COCHRANE, etc. for the gathering of clinical
115
+ > data. If you have a separate PMCF plan which already contains the literature search as one of the planned
116
+ > PMCF activities, you may provide a brief statement that there is a search strategy for literature in the
117
+ > PMCF plan.
118
+
119
+ ### SOUP Incident Reports
120
+
121
+ Check device SOUP list and research incident reports from last 12 months.
122
+
123
+ ### Technical, Specialist & Regulatory Information
124
+
125
+ Applicable literature are product standards and guidelines as documented in the checklist of General Safety
126
+ and Performance Requirements according to Annex I of Regulation (EU) 2017/745. These serve to determine the
127
+ current state of the art and possible technical improvements and will be monitored on a yearly basis for
128
+ changes and renewals. Furthermore, the Medical Device Coordination Group (MDCG) publications (guidance
129
+ documents) will be reviewed with regards to guidance on interpretation of process- or product-relevant
130
+ interpretations of regulatory requirements in the Regulation (EU) 2017/745. The < PMS Report or PSUR\> will
131
+ summarize the results.
132
+
133
+ ### Other Publicly Available Information about Similar Medical Devices
134
+
135
+ Identify the databases to be utilized for investigating incidents and recalls related to comparable devices
136
+ (e.g., through MAUDE, BfArM, MHRA). Clearly outline the similar devices and establish appropriate search and
137
+ evaluation criteria. A sample approach is provided below:
138
+
139
+ | Database | BfArM |
140
+ |---------------|----------------------------------------------------------|
141
+ | Criteria: | Safety Information (Safety warnings, alerts and recalls) |
142
+ | Timeframe: | January 1 – December 31 2020 |
143
+ | Search terms: | E.g. Similar Device Name |
144
+
145
+ ### 3.4. PMCF
146
+
147
+ > If PMCF is exempt, add a justification.
148
+ >
149
+ > PMCF may only be exempt under one of the two following conditions:
150
+ >
151
+ > The demonstration of conformity with general safety and performance requirements based on clinical data is
152
+ > not deemed appropriate, and adequate justification for the non-applicability of a clinical evaluation report
153
+ > has been given; or It is a product without an intended medical purpose (see Annex XVI of Regulation (EU)
154
+ > 2017/745).
155
+ >
156
+ > Otherwise:
157
+ >
158
+ > A PMCF plan has been developed for this device to consistently collect relevant clinical data, confirming
159
+ > the benefit-risk determination in the Risk Management Report and Clinical Evaluation Report. This includes
160
+ > assessing clinical safety, performance, any claims, and its alignment with the current state of the art. The
161
+ > specific PMCF activities are contingent on factors such as device innovation, the availability of adequate
162
+ > clinical data, inherent risks, and device type. These considerations have guided the planning of suitable
163
+ > PMCF methods.
164
+
165
+ ## 4. Planned PMS Report/ Periodic Safety Update Report \(PSUR\)
166
+
167
+ > Please state the month and year of the planned PMS report (for Class I devices)/ of the PSUR (for all other
168
+ > devices).
169
+
170
+ ---
171
+
172
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
173
+ license](https://openregulatory.com/template-license).
174
+
175
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,67 @@
1
+ # Questionnaire "Cybersecurity for Medical Devices - Technical Documentation"
2
+
3
+ Version 1, dated 21st of March, 2023
4
+
5
+ ### 1. Preliminary remarks
6
+
7
+ * This document was compiled by the [German Notified Bodies
8
+ Alliance](https://www.ig-nb.de/fileadmin/user_upload/ig-nb/Questionnaire_Cybersecurity_for_Medical_Devices_-_Technical_Documentation_-_Version_1.pdf)
9
+ ("Interessengemeinschaft der Benannten Stellen für Medizinprodukte in Deutschland", IG-NB) and is intended
10
+ to serve as orientation for Notified Bodies, manufacturers and interested parties. It makes no claim to
11
+ completeness or mandatory application.
12
+ * This document covers assessments of Technical Documentation for MDR / IVDR. Not all requirements of MDR,
13
+ IVDR and MDCG 2019-16 are covered in this document.
14
+ * Created by Jan Küfner (TÜV SÜD), Dr. Abtin Rad (TÜV SÜD), Dr. Andreas Schwab (TÜV Rheinland), Volker Sudmann
15
+ (mdc medical device certification), Markus Bianchi (DNV Medcert), Martin Tettke (Berlin Cert), Michael Bothe
16
+ (DQS Med), Mark Küller (TÜV-Verband / IG-NB). It replaces the previous version "IT Security for Medical
17
+ Devices“ (Version 5, 09.06.2022).
18
+ * Questions regarding the security risks of artificial intelligence can be found in latest version of IG-NB's
19
+ "Questionnaire Artificial Intelligence (AI) in Medical Devices".
20
+ * Compliance to IEC 81001-5-1 is not expected, however recommended, prior to the end of its transition
21
+ period. Compliance to IEC 81001-5-1 prior its transition period is however recommended. In the following
22
+ tables IEC 81001-5-1 is mentioned only for complementary purposes. Questions for manufacturers are solely
23
+ based on the current requirements (MDR, IVDR, MDCG 2019-16)
24
+ * Since cybersecurity evolves on a regulatory and technological level, this document is intended to reflect
25
+ the current state of the art at the time of creation only.
26
+
27
+ **References:**
28
+
29
+ * Regulation (EU) 2017/745 (MDR), dated 5 April 2017
30
+ * MDCG 2019-16 - Guidance on Cybersecurity for medical devices, Rev. 1, 2020-07
31
+ * IEC 62304:2006-05 Medical device software - Software life cycle processes
32
+ * IEC 81001-5-1:2021-12 Health software and health IT systems safety, effectiveness and security — Part 5-1:
33
+ Security — Activities in the product life cycle
34
+
35
+ ### 2. System Description
36
+
37
+ | Item | Source | Requirement(s) | IG-NB Commentary | Manufacturer Reference for Compliance |
38
+ | ---- | ------ | -------------- | ---------------- | ------------------------------------- |
39
+ | 2.1 | State of the Art (SOTA) | An appropriate system diagram must be available. | Is an appropriate system diagram available? | Yes, see:<br>\- Software development plan<br>\- Software architecture |
40
+ | 2.2 | IEC 81001-5-1 cl. 7.2 | 'All products have a threat model specific to the current development scope. Characteristics (where applicable): correct flow of categorized information throughout the system, trust boundaries, data stores, internal/external communication protocols etc.' | Note: a complete system diagram should include the following:<br>1\. All medical devices incl\. their interfaces \(e\.g\. bluetooth\, wifi\, ethernet\)\, utilized protocols \(e\.g\. HL7\, DICOM\, HTTPS\, MQTTS\, custom\) on those interfaces and their implemented technical specification \(e\.g\. implemented protocol version\) incl\. the type of data being transferred \(e\.g\. personal health information\, therapeutic commands\, updates\, remote access\) on those interfaces\.<br>2\. All human machine interfaces within the system \(e\.g\. screens\, keyboards\)\. | Potential cyber security risks and IT-security concerns have been taken into account within the framework of the existing FMEA risk analysis, following the ISO 14971 standard for risk management in medical devices. |
41
+
42
+ ### 3. Security Risk Management
43
+
44
+ | Item | Source | Requirement(s) | IG-NB Commentary | Manufacturer Reference for Compliance |
45
+ | ---- | ------ | -------------- | ---------------- | ------------------------------------- |
46
+ | 3.1 | MDCG 2019-16 cpt. 3.2 | 'The security risk management process has the same elements as the safety risk management process, all documented in a security risk management plan. The process elements are security risk analysis, security risk evaluation, security risk control, evaluation of residual security risk and reporting.' | Is a security risk analysis available? | Yes, see:<br>\- Risk management plan<br>\- Risk table<br>\- Risk management report |
47
+ | 3.2 | MDCG 2019-16 cpt. 3.4<br>and<br>IEC 81001-5-1 cl. 7.2 | 'Threat Modelling techniques are a systematic approach for analyzing the security of an item in a structural way such that vulnerabilities can be identified, enumerated and prioritized, all from a hypothetical attacker's point of view.'<br>AND<br>'(...) Employ activities to ensure that all products have a threat model specific to the current development scope.' | Does the security risk assessment contain an appropriate and systematic threat model?<br>Note: STRIDE is a systematic threat modelling technique, since it evaluates threat categories interface by interface. | Potential cyber security risks and IT-security concerns have been taken into account within the framework of the existing FMEA risk analysis, following the ISO 14971 standard for risk management in medical devices. |
48
+ | 3.3 | MDCG 2019-16 cpt. 3.4 | 'Threat modelling typically employs a systematic approach to identify attack vectors and assets most desired by an attacker.'<br>AND<br>\- 'Establish activities which identify and document any vulnerabilities\, threats and associated adverse impacts affecting confidentiality\, integrity\, availability of assets\.<br>\- Consider intended use and the intended environment of use\.' | Is the threat model complete and correct (e.g. discussing all applicable threats for all relevant attack vectors)? | Yes, see risk table. |
49
+ | 3.4 | IEC 81001-5-1 cl. 7.3 | \- Establish activities to estimate risk of vulnerabilities\.<br>\- Risk estimation should consider adverse impact of vulnerability to security<br>\- Estimation can be supported by using vulnerability scoring<br>\- Scoring system can be based on a likelihood/severity scheme used by the manufacturer for other risks<br>\- Evaluate estimated risks<br>\- Determine if risk is acceptable or not \(based on scoring\)<br>\- Inform product risk management process | Is the risk pre- and post-mitigation appropriately estimated?<br>Note 1: quantitative risk assessment is acceptable.<br>Note 2: security risk is a combination of exploitability and severity.<br>Note 3: alteration or disclosure of patient data can lead to harm. | Yes, see:<br>\- Risk table<br>\- Risk management report |
50
+ | 3.5 | MDCG 2019-16 cpt. 3.2 | 'When a security risk or control measure could have a possible impact on safety and effectiveness, then it should be included in the safety risk assessment.' | Are security mitigations (if any) that might affect safety appropriately discussed? | Yes, see:<br>\- Risk table<br>\- Risk management report |
51
+ | 3.6 | MDCG 2019-16 cpt. 3.3 | ‘Where there is an impact on safety or effectiveness, manufacturers shall select the most appropriate risk control solution, in the following order of priority:<br>a) Eliminate or reduce risks as far as possible through safe design and manufacture;<br>b) Where appropriate, take adequate protection measures, including alarms if necessary, in relation to risks that cannot be eliminated;<br>c) Provide information for safety (warnings/precautions/contra-indications) and, where appropriate, training to users.<br>For security, a similar approach can be taken:<br>a) Eliminate or reduce security risks as far as feasible through secure design and manufacture;<br>b) Where appropriate, take adequate protection measures, including security notifications if necessary, in relation to risks that cannot be eliminated;<br>c) Provide information for security (warnings/precautions/contra-indications) including information on measures that the user is required to take in the operating environment to reduce the likelihood of exploitation. | Do risk control solutions have the correct order or priority?<br>Note: according to MDR/IVDR, the auditee shall always implement security measures within the device rather than delegating security via IFU to the user or admin of the device. | Yes, see:<br>\- Risk table<br>\- Risk management report |
52
+ | 3.7 | IEC 81001-5-1 cl. 7.4 | \- Determine whether security risk control measures are appropriate for reducing security risks to an acceptable level \(based on security risk acceptance policies\)<br>\- If risk controls are deemed appropriate: appropriate mitigations selected<br>\- Determine whether mitigations result in new risks or increased other risks\,<br>\- Select mitigations implemented\, effectiveness of the implemented measures verified | Are risk control measures / counter measures appropriate? | Yes, see:<br>\- Risk table<br>\- Risk management report |
53
+ | 3.8 | MDCG 2019-16 cpt. 2.1<br>and<br>MDR Annex I (17.4) / IVDR Annex I (16.4)<br>and<br>MDR Annex I (18.8)<br>and<br>MDR Annex I (17.2) / IVDR Annex I (16.2) | ‘Key concepts involved in IT security specifically for medical devices are the following:<br>\- Confidentiality of information at rest and in transit<br>\- Integrity\, which is necessary to ensure information authenticity and accuracy \(i\.e\. non\-repudiation\)<br>\- Availability of the processes\, devices\, data\, and connected systems\.‘<br>AND<br>‘Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.’<br>AND<br>‘Devices shall be designed and manufactured in such a way as to protect, as far as possible, against unauthorised access that could hamper the device from functioning as intended.’<br>AND<br>'The Cybersecurity risks are as far as possible reduced without adversely affecting the benefit-risk ratio. The device is developed in accordance with the state of the art taking into account the principles of risk management, including information security.' | Is the security concept of the device under evaluation appropriate? | Yes, see:<br>\- Risk table<br>\- Risk management report<br>\- Software development plan |
54
+
55
+ ### 4. Accompanying Documentation
56
+
57
+ | Item | Source | Requirement(s) | IG-NB Commentary | Manufacturer Reference for Compliance |
58
+ | ---- | ------ | -------------- | ---------------- | ------------------------------------- |
59
+ | 4.1 | MDCG 2019-16 cpt. 2.6<br>and<br>MDR Annex I (23.4.ab) / IVDR Annex I (20.4.1.ah) | ‘While the MDR and the IVDR provide legal obligations only with regard to manufacturers, however it should be noted that for the provision of secured healthcare services, it is important to recognize the roles and expectations of all stakeholders, such as manufacturers, suppliers, healthcare providers, patients, integrators, operators and regulators. All of these actors share responsibilities for ensuring a secured environment for the benefit of patients’ safety.’<br>AND<br>The instructions for use shall contain all of the following particulars: ‘for devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.’ | Are the responsibilities of manufacturer, integrator and users correctly reflected in the IFU?<br>Note: in cases where the medical device relies on the operating environment to provide essential IT security controls, this is appropriately stated in the accompanying technical documentation. | Yes, see:<br>\- Instructions for use / user manual |
60
+ | 4.2 | MDCG 2019-16 cpt. 4.2 | ‘The requirements regarding the instructions for use are outlined in the following articles of Annex I’ | Does the accompanying documentation appropriately contain the following (if applicable):<br>\- Any residual cybersecurity risk communicated as limitation\, contraindication\, precaution or warning<br>\- Information about product installation such as configuration of security features \(CNFS\)\. Note: this does NOT mean the documentation /or provisioning of passwords for assessment in the accompanying documents\. Also include required information about any necessary 3rd party software such as anti\-virus software\, firewall\, malware detection/protection \(MLDP\) and minimum requirements for OS\, workstation\, peripherals\.<br>\- Procedures for using the medical device in fail\-safe mode / action plan for users to follow in case of alert messages<br>\- Information about user requirements in terms of training / required skills<br>\- Instruction on installing \(cybersecurity\) updates & patches \(CSUP\)<br>\- The environment of use \(home environment\, healthcare facility\, etc\.\)<br>\- A description of data backup \(DTBK\) and restore features<br>\- User roles incl\. privileges<br>\- Information about logging | Yes, see:<br>\- Instructions for use / user manual<br>\- User training |
61
+
62
+ ### 5. Lifecycle (Relevant Output Documents)
63
+
64
+ | Item | Source | Requirement(s) | IG-NB Commentary | Manufacturer Reference for Compliance |
65
+ | ---- | ------ | -------------- | ---------------- | ------------------------------------- |
66
+ | 5.1 | IEC 62304 cl. 8.1.2 | 'Document for each SOUP configuration item being used (incl. standard libraries): title, manufacturer, unique SOUP designator." | Has the manufacturer documented all SOUP components? | Yes, see:<br>\- SOUP |
67
+ | 5.2 | MDCG 2019-16 cpt. 3.7<br>and<br>IEC 81001-5-1 cl. 5.7.5 | ‘The primary means of security verification and validation is testing. Methods can include security feature testing, fuzz testing, vulnerability scanning and penetration testing.’<br>AND<br>'Documented means of ensuring objectivity of the test effort for security requirements testing, known vulnerability scanning and penetration testing.' | \- Is the penetration test report available and appropriate?<br>\- Is the penetration test covering all applicable attack vectors?<br>\- Is the tester appropriately skilled?<br>\- Is the tester independent?<br>\- Are appropriate tools used?<br>\- Is enough time / resources utilized? Is appropriate Fuzz Testing conducted where applicable?<br>Note 1: Common penetration testing methodologies such as open-source security testing methodologies (OSSTMM), MASTG, phased structured approaches such as penetration testing execution standard (PTES) methodologies should be adapted as appropriate for the medical device until appropriate standards are available.<br>Note 2: The penetration test should consider any special constraints relating to the medical device(s) such as the safety of the patient and others as well as clinical performance.<br>Note 3: ISO 17025 accredited test laboratories with appropriate capability and competence for medical device penetration testing should be used once available. | Security verification and validation was performed as part of system testing. See system test results. |
@@ -0,0 +1,111 @@
1
+ # Risk Management Report
2
+
3
+ The Risk Management Report contains the output and summary of risk management activities. The general planning
4
+ and methods are described in the Risk Management plan, while the actual risks are listed and analyzed in the
5
+ Risk Table.
6
+
7
+ The process and stages of risk analysis are described in the SOP Integrated Software Development.
8
+
9
+ ## Mapping of Standard Requirements to Document Sections
10
+
11
+ | ISO 14971:2019 Section | Document Section |
12
+ |---------------------------------------|------------------------------|
13
+ | 4.5 Risk management file | (all) |
14
+ | 7.4 Benefit-risk analysis | 6 |
15
+ | 7.6 Completeness of risk control | (by review of this document) |
16
+ | 8 Evaluation of overall residual risk | 3, 5 |
17
+ | 9 Risk management review | (all) |
18
+
19
+ ## 1. Relevant Processes and Documents
20
+
21
+ * SOP Integrated Software Development
22
+ * Risk Management Plan
23
+ * Risk Acceptance Matrix
24
+ * Risk Table
25
+
26
+ ## 2. Risk Analysis
27
+
28
+ > The general idea about this section is that you simply summarize the amount of stuff you added to your Risk
29
+ > Table (a separate document).
30
+
31
+ ### 2.1 Preliminary Hazards Analysis
32
+
33
+ *\<no. of hazards\>* hazards were identified based on the Intended Use and Usability Tests. They were further
34
+ analyzed in the Risk Table.
35
+
36
+ ### 2.2 Failure Modes
37
+
38
+ *\<no. of failure modes\>* failure modes of software systems were identified. They were further analyzed in
39
+ the Risk Table.
40
+
41
+ ### 2.3 Failure Mode and Effects Analysis (FMEA)
42
+
43
+ All preliminary hazards and potential failure modes of the software were analyzed. Annec C of ISO 14971 was reviewed for potentially applicable scenarios. In total, *\<no. of hazards\>* were identified. The hazardous situation(s) and harm(s) which they could lead to were analyzed, including intermediate probabilities (p1 and p2).
44
+
45
+ ## 3. Risk Control Measures
46
+
47
+ Risks were reduced as far as possible (AFAP). If a risk was classified as "unacceptable" based on
48
+ the Risk Table, Risk Control Measures were implemented.
49
+
50
+ The following categories of Risk Control Measures were implemented in priority as listed below:
51
+
52
+ 1. Inherent safety by design
53
+ 2. Protective measures
54
+ 3. Information for safety
55
+
56
+ In total, *\<no. of risk control measures\>* were implemented.
57
+
58
+ ## 4. Risk Matrix
59
+
60
+ After implementation and verification of all Risk Control Measures, the count of risks in the Risk Acceptance
61
+ Matrix was as follows:
62
+
63
+ | Probability | S1: Negligible | S2: Marginal | S3: Critical | S4: Catastrophic | Estimated Maximum Event Count |
64
+ |--------------|----------------|---------------------|---------------------|---------------------|-------------------------------|
65
+ | P5: Certain | acceptable: 0 | **unacceptable: 0** | **unacceptable: 0** | **unacceptable: 0** | 1000000 |
66
+ | P4: Likely | acceptable: 0 | **unacceptable: 0** | **unacceptable: 0** | **unacceptable: 0** | 10000 |
67
+ | P3: Possible | acceptable: 0 | acceptable: 0 | **unacceptable: 0** | **unacceptable: 0** | 100 |
68
+ | P2: Unlikely | acceptable: 0 | acceptable: 0 | acceptable: 0 | **unacceptable: 0** | 1 |
69
+ | P1: Rare | acceptable: 0 | acceptable: 0 | acceptable: 0 | acceptable: 0 | 0 |
70
+
71
+ ## 5. Summary of Risks and Unacceptable Risks
72
+
73
+ > If you don't have unacceptable risks (more likely), use this section:
74
+
75
+ After Risk Control Measures, no unacceptable risks remained. The software, therefore, fulfils the specifications
76
+ of the defined risk policy and is safe. A Benefit-Risk Assessment is not required.
77
+
78
+ > If you still have unacceptable risks, use this section:
79
+
80
+ After Risk Control Measures, *\<no. of unacceptable risks\>* unacceptable risks remained. They will be further
81
+ assessed in the Benefit-Risk Assessment below.
82
+
83
+ > Optionally, mention here your device's software safety classification according to IEC 62304, resulting from the worst possible risks found above.
84
+
85
+ ## 6. Benefit-Risk Assessment
86
+
87
+ > Only use this whole section (Risk-Benefit Assessment) if you have unacceptable risks.
88
+
89
+ The *\<no. of unacceptable risks\>* remaining unacceptable risks are compared to the benefits resulting from
90
+ the Clinical Evaluation Report.
91
+
92
+ The benefits are as follows:
93
+
94
+ *\<Copy-paste benefits from Clinical Evaluation\>*
95
+
96
+ > Add a conclusion on whether the benefits outweigh the risks
97
+
98
+ Weighing the benefits against the risks, we conclude that...
99
+
100
+ ## 7. Overall Residual Risk
101
+
102
+ > Take a look at your risk mitigating measures and assess whether the combination of them could lead to a risk that has not been taken care of yet, e.g., if one mitigation serves two or more risks at once.
103
+
104
+ The overall residual risk is estimated to have a probability of *\<probability of residual risk\>* and a severity of *\<severity of residual risk\>*. According to the Risk Acceptance Matrix the overall residual risk is assessed as *\<acceptable\>*.
105
+
106
+ ---
107
+
108
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
109
+ license](https://openregulatory.com/template-license).
110
+
111
+ Please don't remove this notice even if you've modified contents of this template.