I recently read an article on the Free Software Foundation’s Website entitled “Regulatory compliance is no reason to lock up users” The author states that “Medical devices are (theoretically) programmed to a high standard of safety, and careless modification could cause great harm. Medical device manufacturers want to Tivo-ize their devices so that only they can upgrade the software on them. They claim that this is necessary for compliance with FDA regulations.”
The FDA gives manufacturers the freedom to choose what software to use in medical devices. But with this freedom comes responsibly. The Agency does not require or favor the use of commercial over free software in medical devices. However, the Quality System Regulation (21CFR§820) does require that Medical Devices automated with computer software be subject to design controls.
FDA’s Guidance on Software Validation states that “where the software is developed by someone other than the device manufacturer (e.g., off-the-shelf software) …the party with regulatory responsibility (i.e., the device manufacturer) needs to assess the adequacy of the off-the-shelf software developer’s activities and determine what additional efforts are needed to establish that the software is validated for the device manufacturer’s intended use.”
The difficulty with Free Software is that it falls into software quality limbo. After all there is no vendor to audit, or documented evidence that a quality system exists and was followed in the design and testing of the Free Software.
I know that auditing Off the Shelf Software vendors can be hard enough (I tried to audit Microsoft once), but in general you can perform an audit of your software provider to assess the quality systems they have established and to ensure that they are following their quality system. Whom do you audit for your open source code?
Nevertheless, this does not purge the use of Free Software in devices. It does put the burden for proving and documenting that the software meets the intended squarely on the shoulders of the Device Manufacturer. The level of diligence required for Free Software is not unlike that of Custom Software. The cost of the Open source Software (free) may offset the cost of this additional compliance burden, but that is a business decision each manufacturer must make.
Free Software has a place in our industry. You want to run your HTTP server on Apache, go ahead (after you have assessed the impact on you compliance program), but I would not recommend using open source software in Medical Devices.
Device Software is one area where reliability and safety should always come before speed.
After all making a pacemaker run faster is not always a good thing.