21
Aug
2008

Warning Letter – GE Healthcare Integrated IT Solutions

,
0

Recipient: GE Healthcare Integrated IT Solutions
Product: Centricity Imaging and other Picture Archiving and Communication System (PACS) products
Date: 8/12/2008

1. Failure to establish and maintain adequate procedures for analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems, as required by 21 CFR 820.100(a)(1).

For example:
b. Your CAPA procedures do not address obtaining and reviewing information from other GE Healthcare sites that share the same product components (such as shared software code). In October 2007, GE Medical Systems in France submitted a correction and removal report for safety issues identified in their Advantage Workstation (AW) product. The evaluation of the same safety issues identified in the GE Healthcare IITS AW Suite version 2.0.1 product (which builds on the AW software code) did not include the consideration that the site in France initially reported these issues.

2. Failure to establish and maintain adequate procedures for the identification, documentation, validation or where appropriate verification, review and approval of design changes before their implementation, as required by 21 CFR 820.30(i).

For example:
a. The AW Suite 2.0 System Requirements Specification has not been updated to reflect the Volume Viewer Advanced Vessel Analysis requirement to display a message when PET slices are missing from a loaded dataset. This issue was identified in Software Problem Report 64263 and a design change was implemented in AW Suite 2.0.1, released in October 2007. The issue was originally identified at GE Medical in France in a product with a shared code base (Advantage Workstation -AW). The Software Requirements Specification for the AW product was updated in September 2007; however, this design change was not identified or implemented for the AW Suite 2.0.

3. Failure to establish and maintain adequate procedures for finished device acceptance to ensure that each production run, lot, or batch of finished devices meets acceptance criteria, as required by 21 CFR 820.80(d).

For example, manufacturing procedures do not include a requirement for conducting and documenting acceptance activities for CD/DVD burns and eDistribution downloads to ensure that the software matches the engineering master files.

. A MDR report was not submitted within 30, days of receiving or otherwise becoming aware of information that reasonably suggest that marketed device has malfunctioned and would be likely to cause or contribute to a death or serious injury if the malfunction were to recur, as required by 21 CFR 803.50(a)(2).

For example, complaint 13116009 was not submitted as a MDR. In accordance with comment 12 of the preamble to the MDR regulation, “A malfunction is reportable if any one of the following is true. . .(5) the manufacturer takes or would be required to take an action under section 518 or 519(f) [redesignated 519(g) by 110 P.L. 85, Sec. 226 (Sept. 27, 2007)] of the Act as a result of the malfunction of the device or other similar devices.” 60 Fed. Reg. 63578, 63585 (Dec. 11, 1995). Your July 20 and August 2, 2007, correction correspondences regarding the software malfunctions for the Centricity Perinatal Systems have been classified as a Class II recall, Z-2037-2008, and is considered a section 519(g) action.

10. Failure to submit a written report to FDA of any correction or removal of a device initiated by such manufacturer or importer to remedy a violation of the act caused by the device which may present a risk to health, as required by 21 CFR 806.10(a)(2). For example, your correction to apply a software patch for the Centricity Perinatal Monitoring System problem of non-identifiable patient information being added to an incorrect file was not reported to FDA. A letter describing this issue was sent to customers on July 20, 2007, and patches are available beginning in August 2007.

11. Failure to submit a written report (within 10 days) to FDA of any correction or removal of a device initiated by a manufacturer, as required by 21 CFR 806.10(b).
For example: b. Correction and Removal report 3004526608-05/06/08-003-C was reported to FDA on May 6, 2008, for a patient safety issue involving incorrect study date and time information being displayed in the Centricity PACS software. The Field Modification Instruction (FMI) Development and Deployment Plan for this issue was approved as a Mandatory Safety FMI in December 2007.

12. Failure to keep a record of justification for not reporting the correction or removal action to FDA, as required by 21 CFR 806.20. For example, your correction to apply a software patch for the Centricity Perinatal Monitoring System problem of non-identifiable patient information being added to an incorrect file was not reported to FDA. There was no justification in the record for why this correction was not reported to FDA.

FDA Chicago District Office

About the author

Amy enjoys researching and writing about developments in medical technology and how that intersects with US law. She received her J.D. from the University of Florida Levin College of Law in 2020 and now works as a Regulatory Associate for SoftwareCPR®, a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 

 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 

 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.