Daniel R. Matlis02.27.07
Can I Make Your Pacemaker Software Run Faster?
Daniel R. Matlis
Visit any college campus or high-tech company, and you’ll see the rise of open-source software. Leading the charge are Linux, the free operating system; Apache, the free HTTP Web server; and Firefox, the free Web browser.
So what is open-source software? It is software whose source code is published and made available to the public, enabling anyone to use, copy, modify and redistribute the source code without paying royalties or fees. Open-source code is developed through community cooperation.
According to Technology Analysts IDC, Linux server sales have seen 14 consecutive quarters of double-digit growth, with year-over-year revenue growth of 20.8%.
As corporations continue to expand the role of Linux servers into an increasingly wider array of commercial and technical workloads, the footprint of Lintel (Linux-Intel) servers will continue to grow.
Device Firms Use Free Software, Too
In the life-sciences market, open-source software has begun to make inroads over the last few years. A number of leading medical device companies, including GE Healthcare and Siemens, offer systems running on Linux.
After all, the price is right and the quality is pretty good—but is it good enough for the FDA?
The FDA regulates the software used in medical devices under the Quality System Regulation (21CFR§820). The agency also has issued a number of guidance documents on the use of software in medical devices, and nowhere in the regulation or guidance does the FDA require that software must be purchased to be used in a medical device.
Indeed, the FDA does not prescribe the type of software to be used in medical devices; it leaves the choice to the manufacturer. But with choice comes responsibility. While the agency does not require or favor the use of commercial over free software in medical devices, the Quality System Regulation does require that medical devices automated with computer software be subject to design controls.
The FDA’s guidance document, titled General Principles of Software Validation; Final Guidance for Industry and FDA Staff, states:
“Where the software is developed by someone other than the device manufacturer …the party with regulatory responsibility (ie, the device manufacturer) needs to assess the adequacy of the off-the-shelf software developer’s activities and determine what additional efforts are needed to establish that the software is validated for the device manufacturer’s intended use.”
The Free Software Foundation (for more information about this organization, see sidebar, “Not All Open-Source Software Is Created Equal”) recently published an article in which the foundation’s position was stated on this topic.
The article noted: “Medical devices are (theoretically) programmed to a high standard of safety, and careless modification could cause great harm. Medical device manufacturers want to Tivo-ize their devices so that only they can upgrade the software on them. They claim that this is necessary for compliance with FDA regulations.”
To better understand this position, it is important to understand that the Free Software Foundation views free software in the same light as free speech. The organization asserts that community members should have the freedom to improve a program and release those improvements to the public, so that the whole community benefits. Access to the source code is a precondition for this.
The difficulty with the use of free software in medical devices is that it falls in software quality limbo. After all, there is no vendor to audit or documented evidence that design controls were followed, or even that a quality system exists or was followed in the design and testing of the software.
Off-the-Shelf Products Gain Momentum
As the use of general-purpose computer hardware becomes more prevalent, manufacturers increasingly are using off-the-shelf (OTS) software as part of medical devices. The use of OTS software in a medical device allows the manufacturer to concentrate on the application software needed to run device-specific functions. However, OTS software intended for general-purpose computing may not be appropriate for a given specific use in a medical device. The medical device manufacturer using OTS software generally gives up software life-cycle control but still bears the responsibility for the continued safe and effective performance of the medical device. This often is accomplished in the form of a vendor audit program.
Auditing OTS vendors can be hard enough, but, generally, manufacturers can perform an audit of their software providers to assess the quality systems they have established and ensure that they are following the manufacturer’s quality system. Whom does a manufacturer audit for an open-source code?
Nevertheless, this does not purge the use of free software in devices. It does, however, put the burden for proving and documenting that the software meets the intended use squarely on the shoulders of the device manufacturer. The level of diligence required for free software is not unlike that of custom software. The cost of the open-source software—free—may offset the cost of this additional compliance burden, but that is a business decision each manufacturer must make.
Free software has a place in the medical device industry. If you want to run your HTTP server on Apache, go ahead (after you have assessed the impact on you compliance program)—but before you use open-source software in your medical devices, it is imperative that you test and validate the software for your intended use.
After all, device software is one area in which reliability and safety always should come before speed and cost. After all, making a pacemaker run faster is not always a good thing.