🔥 Find me at MedicalDevicesGroup.net 🔥
For software that falls under the medical device category, does coding have to follow a specific guideline or standard to be FDA compliant?
< 1 min reading time
As originally asked by Erica Reid.
IEC 62304 is a good standard to start with. I would also refer you to ISO 13485 for important guidance on higher level design controls which will be important if you will be seeking either EU or FDA regulatory clearance in the product path you envision.
Unfortunately, good/preferred software development practices for medical device software development are not easy to develop from simply reading those standards. If you have experienced developers that have operated in an environment where good software engineering practices were learned, you have a great start. If instead you have smart people that have learned to hack out code and then debug until an acceptable code (or codes) are produced, you can’t really go backwards to create the quality engineering practices needed (and required by regulations).
You also will need a healthy understanding of risk management/risk mitigation commensurate with the level of controls attendant to your device (is it Class I, II or III).
Its very common for entrepreneurs, scientists and even smaller design shops to approach the software development part of a device as a “sub-assembly” that presents an opportunity to save time and money when prototyping. This is fine for general prototyping purposes, but unlikely to pass regulatory scrutiny, or due diligence assessment by potential acquirer. In this case I would recommend going with a very common language (like C, C#, JAVA, etc) The reason is that it will be easier for a professional medical software development organization to take over the code and bring it up to standards later. If you use less common development environments you would then force a total re-code.
Now regarding coding standards, yes, I couldn’t agree more with many of the posters above. Coding standards allow engineers to more easily adopt others code, allows code standard tools to provide early detection of potential errors and helps teams to build cohesive applications that follow good design principles.
You must have your requirements and specifications clarified up front before coding starts. Otherwise verification and validation are very challenging. For physical aspects of a device, you can do this retrospectively (undesirable, difficult and morale-destroying, but possible, to an extent). For software, if you haven’t done this up-front, it usually isn’t even possible. Compliance requires traceability all the way through from inputs, through V&V.
In principle, you should contractually require suppliers to retain records of the software design and implementation for a suitable period to account for the potential need to conduct post-market activities. That is assuming they do not hand over the intellectual property.
I posted this because it is good to know what to do, but I believe it is better to know why to do it.
Note that if, instead of an outside software development firm with its own organization, you just have a bunch of independent coders (independent from the manufacturer AND independent from each other), each of which has his own written coding standard that he/she follows, in theory that could be made to work but in practice it would be very difficult to show the FDA that the manufacturer has proper controls over the development process… somebody has to be centrally in control of (and responsible for) the software, and whoever that is should generate and control the coding standard.
My most recent project was as a contractor and software technical leader for a large medical device company. I recruited and hired a team of programmers, all independent contractors, and each with his own ideas about how to do things. I wrote the coding standard on behalf of my client, had it reviewed by my team and a couple of my client’s engineers, and required that the programmers all follow it. My client could have just as well written the coding standard and required that we all follow it, but they didn’t have the time or the resources to do that and so they delegated that to me.
Marked as spam