Mitigating Medical Device Software Risk

In the past few years, medical devices have become increasingly dependent on software. More than 50 percent of medical devices now rely on software for some functionality. The software either is embedded in the device or plays an integral role in its production. For example, modern infusion pumps contain more than 100,000 lines of code, while proton bean therapy machines can contain more than 1 million.

Software integrity is not a “nice-to-have” quality in medical devices. Defects or bugs in the software can lead to device malfunctions that could result in injury or even death. With the serious nature of medical devices, the Food and Drug Administration has strict regulations that original device manufacturers (OEMs) must follow for their products to reach the market. However, with the dramatic increase in software and the expanding global supply chain, the risk of defects and bugs in the software also increases.

To mitigate this risk, OEMs should employ a set of policies in the software development phase to ensure the code meets the federal guidelines every step of the way. To that end, implementing a governance solution in development helps manufacturers ensure compliance to these policies in several ways:

  • Defining policies based on FDA guidance . OEMs must establish clear and specific policies that align with regulatory requirements. For example, a policy based on FDA guidelines would require all runtime errors to be identified and fixed before software can move on to the next stage in the development process. A governance solution provides a centralized location to define these policies and set thresholds to test against to validate ongoing compliance.
  • Testing often and early . Once an OEM defines its policies, those policies must be tested against. Implementing a governance solution in development enables teams to test software, whether developed in-house or from a third party, against the established policies and then fix any defects that arise while the code is still in development, where issues are least expensive and time-consuming to fix.
  • Controlling risk and compliance . Beyond setting policies and testing for defects, a governance solution allows managers to gain visibility into the quality and risk of software in the device supply chain. This visibility can ensure that progress made in development does not compromise regulatory guidelines or compliance metrics.

A governance solution is one way that medical device OEMs can overcome the challenge of managing the risk of failure inherent in software.

11 comments on “Mitigating Medical Device Software Risk

  1. arenasolutions
    November 29, 2011

    I agree with your points. One way I think companies can mitigate risk is with a strong focus on compliance and documentation. Truly, there are other industries where you can sort of “get by” with shoddy documentation, but in medical device, that just won't cut it.

    Given that companies now develop and store the majority of their business and product information in electronic systems, it follows that documenting changes to that information could be done electronically as well.

    We published a white paper intended to help companies who plan to upgrade their paper systems or augment their electronic records management with an electronic change control system that your readers may find useful.

    In addition, medical device companies are more “at risk” because of the audits always hanging over their heads. To help with that, we created a white paper – – 5 tips to passing an FDA or ISO audit. Hope that's helpful!

  2. Ms. Daisy
    November 29, 2011

    Andy, great post! As a consumer of medical devices, I had been really concerned with the increase in the electronic software in patient care and pondered about managing the risk posed by failure of software in these devices. You stated in your post the need for ongoing and effective management of risks posed by software use in medical device, and the call for governance solution is a good call.  

    The policies and procedures that meet regulatory standards are important aspects of the risk management since they provide comprehensive support for information governance solutions and help companies to respond to data quality, security, and privacy at the entry points; auditing, retention, archiving and optimization at a later stage.  The ongoing tuning, performance analysis, and monitoring will certainly go a long way to mitigate software risks.

     We need information governance solutions to help transform data into strategic assets that can help lower cost and risks, increase the organization’s profitability is  critical especially now during this weak economic period.

  3. Daniel
    November 30, 2011

    Andy, you are right. Most of the medical devices are making use of embedded software and IT applications. But I think the credibility of such systems is yet to be proven. I have experienced these difficulties during the diagnostics phases in hospitals. For example, there are differences in values for BP reading between the manually taken and from automated machines. The case is same for diabetics and lipid profiles. Those hospitals who possess such machines are clamming that machines are accurate than manual and others as vice versa. 

  4. prabhakar_deosthali
    November 30, 2011

    When a million lines of code becomes part of an embedded device for some life critical medical devices, just following compliance procedures and having the documentation is not enough. We need traceability of the fault embedded into the product itself which should be able to pinpoint a particular module or the interface very precisely in that maze of 1 miilion lines of code. 

    A new methodology is required to integrate such huge amount of code which  forces automated tests as each code module gets integrated into the product and kind of regressive analysis when a bug is found at a certain stage of integration.

  5. Jay_Bond
    November 30, 2011

    I think having a governance solution is vital. Without governance companies are putting themselves at serious risk and could be wasting many resources ensuring the software is functioning properly. There needs to be a better system in place to ensure things are running properly.

  6. DataCrunch
    November 30, 2011

    Good points and they can be applied to every industry.  The embedded device field of Machine-to-Machine (M2M) technology is expected explode in the coming years.  In fact, in a recent research report by Analysis Mason, the global market for M2M device connections will grow to 2.1 billion in 2020.

  7. Anne
    November 30, 2011

    This is a nice blog with good points on mitigating the medical device software risk.  In addition, OEM should also provide adequate and regular software maintenance plan and agreement to forestall any malfunctioning, and give the performance improvement.

  8. Ms. Daisy
    November 30, 2011

    Andy, great post! As a consumer of medical devices, I had been really concerned with the increase in the electronic software in patient care and pondered about managing the risk posed by potential failure of software in these devices.

    You are absolutely right about the need for ongoing requirements of effective management of risks posed by software use in medical device. The policies and procedures you mentioned provides comprehensive support for information governance solutions. This will help OEMs to respond to data quality, security, privacy at the entry points and auditing, retention, archiving and optimizationat a later stage. 

    The need for information governance to help transform data into strategic assets that can help lower cost and risks, increase the organization’s profitability is  critical especially now during this weak economic period. 

  9. Ms. Daisy
    November 30, 2011

    @ Anne, I agree with your call for OEMs to provide adequate and regular software maintenance to forestall any malfunction. I also see the need for the call by Andy for governance solution as a good one. The potential risk associated with software malfunction calls for ongoing tuni ng and performance analysis.


  10. Barbara Jorgensen
    November 30, 2011

    This blog is a real eye-opener. It makes perfect sense that the software in medical devices should be defect-free. But look at consumers' tolerance for software flaws–we pretty much take them for granted. I'm glad there are agencies and companies looking out for this type of thing, and recommendations like the ones you outline here.

  11. electronics862
    November 30, 2011

    Thanks for the blog, it is really needed to define some policies to avoid the malfuction of the medical instruements which are embedded in key areas of medical environment. They should be rigourously tested before sending out to the market. Quality assurance in the medical area should definitely be 100% will avoid disaster. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.