Table of Contents

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the use of off-the-shelf (OTS) software in medical devices. The document provides an overview of the applicable regulatory requirements, as well as additional recommendations and clarifications to be taken into consideration by medical device manufacturers and other parties involved in order to ensure compliance thereto. At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations.

Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the existing legal framework and has been agreed with the authority in advance. 

The document provides an overview of the general considerations for OTS software used in medical devices including, inter alia, the ones related to operating systems, drivers, and utilities. 

According to the FDA guidance, the interaction between operating systems (OS), drivers, utility software, and networking technologies is vitally important for ensuring the safety and proper performance of medical devices. The guidance outlines how these software components interact with hardware used in healthcare settings and specifies the parameters for evaluation and validation to be taken into consideration by medical device manufacturers and other parties involved.

Operating Systems

The operating system acts as the main element of a computer’s functionality, managing core operations, including task scheduling, memory allocation, and data storage. While the use of general-purpose off-the-shelf operating systems can simplify the development process, their use in a medical context presents several challenges outlined further in the guidance. 

As explained by the FDA, these OTS systems are usually designed for general-purpose computing where a certain level of errors and failures may be considered acceptable. However, due to the importance of functions performed by medical devices, the medical environment demands a higher degree of reliability and fault tolerance.

Consequently, using a general-purpose OS can introduce unnecessary complexities and potentially hazardous errors. These errors could be related to the specific nature of a general OS, which is presumed to be a one-size-fits-all solution, overloaded with functionalities that are irrelevant for specialized medical applications but could be potential sources of failure or malfunction.

Driver Software

OTS driver software acts as the mediator between the CPU, the operating system, and the input/output peripherals. However, according to the FDA guidelines, these drivers are often designed for general-purpose configurations and may not perform optimally in specialized settings such as medical devices. Therefore, their validation should be a part of the overall system interface validation process to be duly carried out by a party responsible for a medical device in question. According to the guidance, this process should involve detailed tests that validate data values, control signals, and timing signals for both input and output functionalities. 

Utility Software

Utility software is specifically designed to improve or even replace functions generally managed by the OS, such as file management or memory allocation. These products are vitally important in a medical device setting where data integrity is to be maintained. As explained by the authority, such utility software should be subject to rigorous validation in order to ensure its efficacy and safety. This validation process should assess the risk of serious injury patients, medical staff, or any other individual are exposed to when establishing their appropriateness for medical applications.

Involuntary Termination of Subject’s Participation

The aforementioned regulation also requires informed consent to address anticipated circumstances under which the subject’s participation may be terminated by the investigator without regard to the subject’s consent. 

According to the document, the informed consent process should also disclose the circumstances under which a subject’s participation might be terminated involuntarily by the investigator. This could occur if a subject fails to comply with the investigation protocols, such as missing scheduled clinic visits or not following the dosage or device instructions.

A generalized statement about potential withdrawal by the investigator is deemed inadequate by the FDA – all such cases should be clearly described. The authority additionally emphasizes the importance of ensuring that subjects are informed about the specific circumstances that could lead to their involuntary termination from the study, as well as how their already collected data will be managed.

Additional Costs to Subject

When it comes to costs, informed consent should provide information about any additional costs to the subject that may result from participation in the research. 

Transparency regarding any additional costs that may be incurred by the subject during the investigation is mandatory. Subjects should be well-informed about any out-of-pocket expenses, such as insurance deductibles or copayments, and whether funds are available to cover these additional costs. The FDA recommends that, due to the complexity of this issue, subjects may need to consult with financial advisors to fully understand the cost implications.

Networking and Local Area Networks (LANs)

In the modern medical environment, LANs and other network systems are quite often integrated for efficient data management and collaborative clinical work. According to the guidance, a detailed requirements analysis should be duly carried out before any such integration. The scope of evaluation should cover such factors as the response time required for safe operation, the architecture and topology of the LAN, and computational sufficiency. 

Furthermore, issues of data integrity are vitally important. The FDA recommends the incorporation of error-checking, handling, and correction measures as part of a comprehensive cybersecurity risk assessment. Additionally, Network Management and Security protocols should be designed to require user authorization and authentication, especially when it comes to accessing sensitive patient data.

Innovative Technologies

As indicated by the FDA, the field of medical device software is rapidly evolving to include innovative technologies such as artificial intelligence (AI) and machine learning (ML). Specific aspects related to the use of these technologies in medical devices are covered in separate guidance documents issued by the FDA.

In summary, the incorporation of OTS operating systems, drivers, and utility software into medical devices presents both opportunities and challenges. While OTS components offer ease of development and operation, they should be subject to careful assessment and validation in order to ensure they meet the strict safety and efficacy requirements of medical applications set forth under the respective legal framework. Furthermore, the increasing complexity introduced by networked systems and innovative technologies including AI and ML requires ongoing vigilance and compliance with the relevant FDA guidelines.

Sources:

https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use-medical-devices

How Can RegDesk Help?

RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.