Defining End of Life for Medical Devices

Recently, I was attending the Health Sector Coordinating Council’s (HSCC) cybersecurity working group on Model Contract Language for MedTech Cybersecurity (or MC2), Version 2,¹ and the term “End of Life” as it applies to medical devices came up while we were revising one of the recommended contract clauses.

Everyone in the working group is a medical device cybersecurity expert, yet we all had conflicting opinions about:

• What this topic should really be called
• When the various “End of…” phases really occur
• What the time period for each phase should really be

It was at this point I started formulating this article.

One of our fundamental issues was this working group was composed of experts from medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs). These two groups have different ways of referring to the same “End of…” phases.

First, it should be noted that everyone has a different opinion of what “End of Life” for a device means; so much so that to avoid confusion, we should probably not even use this term in favor of more descriptive options. Or maybe we should only use “End of Life” to refer to the entire collective process?

At this point, I know some readers are saying, “But the device is at its End of Life when we stop making it. What is all this talk about phases?” Well, it isn’t quite that simple.

After a quick review of the usual consensus and regulatory standards, we were left with four standards that mention these “End of…” activities. They are:

• September 2019: Association for the Advancement of Medical Instrumentation (AAMI) – AAMI TIR97:2019 Principles for medical device security—Postmarket
• risk management for device manufacturers
• April 2022: FDA – Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff
• April 2022: International Medical Device Regulators Forum (IMDRF) – Principles and Practices for the Cybersecurity of Legacy Medical Devices
• March 2023: HSCC – Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS)

All of these standards define the activities that should occur when the device is due for retirement but do not provide full specificity on timelines or definitions. The FDA’s only definition of “End of…” is: “End of support—a point beyond which the product manufacturer ceases to provide support, which may include cybersecurity support, for a product or service.”

The IMDRF standard goes into much more detail and includes time periods and the topic of software components that have already reached a retirement phase. This standard introduces some new terminology for these retirement phases such as:

• Development
• Support
• Limited Support
• End of Support
• Decommission

But unfortunately, it only includes definitions for three phases:

• Decommission: To remove from active service
• End of Life (EOL): The life cycle stage of a product starting when the manufacturer no longer sells the product beyond its useful life as defined by the manufacturer and the product has gone through a formal EOL process including notification to users.
• End of Support (EOS): The life cycle stage of a product starting when the manufacturer terminates all service support activities and service support does not extend beyond this point.

The HSCC’s HIC-MaLTS devotes a significant amount of text to the topic and does a good job describing the retirement process, especially in representing the two viewpoints of HDO and MDM. It defines the phases of this process and even provides an attestation for those definitions. Unfortunately, they align with IMDRF on defining “End of Life” as really meaning something more like “End of Marketing” (which would certainly be a less confusing phrase), and they don’t define a typical period for the duration of any of these phases. Instead, they sidestep definitions with statements such as “originally communicated period.”

However, TIR97:2019 was published three years before the FDA or IMDRF standards, and it describes the retirement process in a very approachable fashion, addressing all of the topics in the other two and bringing in some of its own. (Not the least of which is a timeline graphic that does an excellent job of conveying the process.) It is the TIR97:2019 graphic that serves as the basis for the remainder of this article.

After completing our review, we of the HSCC’s cybersecurity working group then combined these four standards and applied our collective experience to describe some typical timelines for each “End of…” phase, which resulted in the Figure 1 graphic.

• End of Production: This term signifies the point at which the manufacturer ceases production of a particular medical device. It indicates the company will no longer manufacture or produce new units of that device. This may be due to various reasons such as the introduction of a newer version, the unavailability of components, market forces, or the decision to focus on different product lines. However, devices that have already been manufactured may still be in warehouses, distribution, circulation, and available for use. A period of 24 months should exist between notifying HDOs and the end of production.
• End of Marketing: The end of marketing indicates the manufacturer will no longer actively promote or advertise the medical device. The device may still be available for purchase and support, but the manufacturer will not actively promote it to customers. This is what is called “End of Life” by the HSCC’s HIC-MaLTS standard.
• End of Guaranteed Support: When a manufacturer declares the end of guaranteed support, it means they will no longer provide specific commitments or warranties for the device. This typically includes services such as technical assistance, user training, maintenance training, repairs, spare parts availability, and software updates. After this point, the manufacturer may still offer support on a case-by-case basis, but it may come with limitations or additional costs. A period of 24 months should exist between notifying HDOs and the end of guaranteed support.
• End of Support: This term refers to the discontinuation of ongoing assistance or maintenance for a medical device. It encompasses a broader range of services beyond just “guaranteed support.” End of Support may include technical support, repairs, access to documentation or manuals, and other forms of assistance. This is also a time of “risk transference,” where all risk associated with further use of the device after End of Support is formally transferred from the MDM to the HDO. Part of this transference includes the transfer of all cybersecurity knowledge, such as known vulnerabilities, unsupported software components, software bill of material(s), etc. Once support ends, the manufacturer may no longer provide any assistance related to the device’s operation or maintenance. A period of 36 months should exist between notifying HDOs and the end of support.
• Decommission: This phase defined by the IMDRF is not represented on the graphic as this is a process determined and performed solely by the HDO at some point following the End of Support phase. Since this activity is based on an HDO’s appetite for risk in the continued use of a retired medical device and may vary widely between different HDOs, we provide no recommended time period between these two life cycle phases.

It’s important to note these terms are not always used consistently by all manufacturers or regulators. Also, there are no regulatory requirements governing these recommended periods between notifications and “End of…” events. Therefore, it’s advisable to refer to the HDO’s and MDM’s contracts and official communications for precise information regarding a particular medical device’s retirement lifecycle phases.

Hopefully, this article and accompanying graphic can help serve as a reference for our industry on terminology to use and further normalize best practices to follow when retiring medical devices. 

Reference

1. bit.ly/mpo230931

---

Christopher Gates is the director of Product Security at Velentium. He has more than 50 years of experience developing and securing medical devices and works with numerous industry-leading device manufacturers. He frequently collaborates with regulatory and standard bodies, including the CSIA, Health Sector Coordinating Council, H-ISAC, Bluetooth SIG, and FDA to present, define, and codify tools, techniques, and processes that enable the creation of secure medical devices.