CMHAFF call, Thursday, Oct 26
- Discuss timeline (which is now growing short) and plan to complete work on time. Need to limit new material and focus on getting existing material into shape for ballot.
- Initial content deadline Nov 26
- Reconciliation deadline Dec 3: is it needed, since ballot reconciliation was done long ago, and it was a comment-only ballot?
- Final content deadline Dec 17
- Review Section 2.2 cMHAFF Label, which has undergone a major simplification (based on last week's conversation). I propose to make this a non-normative Appendix, since it will take too much time to gain consensus, it's beyond our scope to execute, and it could divert attention from the Conformance Criteria which are the most important (normative) part of cMHAFF.
- Work through a new section as examplar: "Trust" (combination of Security-related sections)
- Review and decision on specific comments
- DKT7 -- Environmental Scan
- DKT8 -- Are all aspects of the product development life cycle appropriate to mention, if there are not corresponding conformance criteria for all of them?
- DKT9 -- Secure Coding practices reference
- DKT13&14 -- Risk Management references
- DKT22 -- Liability discussion. Frank disputes this one. Appropriate?
- DKT31 -- Strong authentication options
- DKT49 -- Initial set of definitions. Check for important missing terms.
- DKT50 -- Platform-specific considerations
- Review of changes made, based on Adamu's recommendations from U.K. PAS277 Guidelines. Comments have been added, but specific wording has not all been incorporated yet. Adamu also sent an email on October 6th that we should consider (copied below)
Adamu's Oct 6th Email
Hi all, Coming back to PAS document and the general discussion about cMHAFF .
I think in general we need to figure out how we could leverage or incorporate or complement PAS as whole ( without UK specific standards) into cMHAFF . Not for this ballot session but may be during the resolution of the comments after January. PAS has a bit different style from all the specs we’ve looked at, in a sense that it looks at the project life cycle of the apps.. Product development in fact will become highly relevant in light of FDA precertification program : https://www.fda.gov/MedicalDevices/DigitalHealth/DigitalHealthPreCertProgram/Default.htm and some companies have already been selected : https://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm577480.htm
In essence, FDA will follow & check your SW design and process and certifies it (like ISO certification ) so they don’t have to certify each individual product coming from that company. Any product from that will go directly to the market and FDA will go straight to post market data collection phase. This makes SW process/product development life cycle very key or central here …and that is where PAS comes in for health and wellness apps.
cMHAFF covers almost everything from PAS i.e. from the consumer or market perspective => translated backwards to what developer should do before releasing the product/app to the market . I think we can plug PAS ( or some part of it ) in 3.2 to guide the developer on what process to follow to meet cMHAFF conformance at the front end . Or we can also check PAS Annex A (informative ) : relation between PAS and IEC 62304 i.e. how PAS selected keys parts and light version of IEC 62304
I don’t know how in practice we can do this but definitely we should not re-do the work but smartly reference or incorporate or point to the developer what process to follow in product development …( liaison or work together to pick some parts into cMHAFF annex or direct reference)
Please , let’s have a look as general task outside the current ballot preparation . I think after January we need to see how to proceed to position cMHAFF to not only address current FDA direction but a “go to” framework for various app stakeholders in the consumer health industry
My two cents…