Not-so-soft(ware) side of the FDA
The Food and Drug Administration is developing new guidance documents for how it will regulate mobile devices and electronic health records. The work is part of the agency's continuing efforts to refine its focus on software.
The FDA considers any software program that tracks, diagnoses or treats a disease as a medical device, subject to all its regulations, said FDA software compliance expert Murray. As such, programs, including medical apps on smartphones, are subject to strict design controls. These are typically based on the IEC 62304 international standard, Murray said in a talk at the DesignMed conference.
The controls apply both to in-house-developed code and software purchased from outside a company. Internal code must conform to a written plan that details how design requirements are documented, how design outputs conform to those requirements, and how the finished programs are verified and validated.
Even free open-source code requires documentation about where it came from and why it fit the design requirements. Like internal code, it is also subject to a risk analysis.
Engineers need a process for tracking design changes as well. That process, however, can have attributes that measure the safety impact of a change, so that every software alteration does not have to be tracked by quality systems.
Companies using automated electronic design control systems must ensure those programs conform to FDA regulations too, added Murray. The FDA has separate regulations to cover software in medical devices, automated production systems and computers used in clinical trials or electronic record-keeping.
"There are FDA regs on how to write FDA regs and guidance documents on how to write guidance documents," Murray quipped.
If it all sounds onerous, that’s because it is, medtech engineers said at DesignMed. Murray admitted the FDA can be like a foreign country with its own language. "You need to have at least one person in your company who understands that language," he said.
So far, the FDA has approved about three smartphone apps as medical devices, including one the proverbial doctor on a golf course could use to view data remotely from a hospital's patient monitoring system. The underlying handset or PC that runs a medical app is not considered a separate device that needs approval, but the limitations of the hardware must be a part of the software's risk analysis controls, Murray said.