IEC 81001-5-1 要求制造商在其质量管理系统中定义安全生命周期过程的适用性(4.1.3 适用性的确定)。
在 MDR 中,似乎已经预见到了这种适用性。附录 I 17.2 规定:
"For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation."
因此,每个软件和每个包含软件的产品都必须自动提供符合 IEC 81001-5-1 标准的安全文件。
我认为这有点夸张。我可不想指导一个包含软件并在数字显示屏上显示温度值的数字式临床体温计按照 IEC 81001-5-1 进行完整的安全生命周期流程。尤其是 IEC 81001-5-1 并没有规定任何工作和文件限制(比较 IEC 62304的安全级别)。
因此,我们可以利用 IEC 81001-5-1 中的注释(4.1.4,注释1)来限制安全生命周期流程的适用性:
"For HEALTH SOFTWARE some IT exposure, networking, or data interfacing capabilities are assumed and therefore a secure software LIFE CYCLE is followed"
因此,我建议安全程序指令中的适用性表述可以是:
"As soon as a medical device is software or contains software AND at the same time has any form of data interface to other devices or systems, it falls under the scope of the security lifecycle process."
有趣的是,这也与目前的《Cyber Resilience Act》草案不谋而合,该法案未来将适用于欧洲的所有产品(医疗器械和其他一些产品除外):
'This Regulation shall apply to devices incorporating digital elements, the intended or reasonably foreseeable use of which involves a direct or indirect logical or physical data connection to a device or network.'
看来,MDR附录I第17.2 条对信息安全流程应用的定义过于狭窄。希望公告机构能遵循这一推理方法!