So, you want to develop software for medical devices.
Welcome to the fire. It’s hot in here, and you need to be prepared.
If you make mistakes, people can get hurt. People can die. Real people – children, parents, old friends, beloved relatives. It’s vitally important that you remember this. It’s easy to forget when you’re reviewing a test protocol for the ninth time and the project is six months late and counting and the vice president of product development is calling you every other day and talking about canceling the whole program and… yuck.
Every business that develops and sells devices must satisfy the constraints of business, but to work in a safety-critical, regulated environment such as medical devices, there are additional requirements that you must satisfy.
If you are developing software for medical devices, here’s what you need to develop device that is safe.
- The Safety-Critical Mindset
- Sufficient Technical Skills
- Compliance with Regulations and Standards
I put these in order of priority. Notice that I put Regulatory Compliance last. It’s necessary, and without it you will not sell any medical devices. Naturally, it gets all the attention. But… the first two components are even more important.
My colleague Mike Drues, a respected consultant on regulatory strategy, calls this “being a prudent engineer”. In his podcasts and articles, he rightly hammers the point that as medical device professionals, we must first prove to ourselves that our devices are safe and effective. Then, and only then, do we attempt to prove that to the FDA or other regulatory bodies.
Whether you are an individual contributor, or a manager or executive in charge of a software team, you must satisfy all three of these conditions.
Let’s briefly review what I mean for each one.
The Safety-Critical Mindset
As the developer of a medical device, you must have:
- a deep and constant appreciation for the responsibility you carry, which drives…
- a healthy paranoia about all the ways your device can fail and hurt people, tempered by…
- engineering judgment that you use to objectively evaluate risks and the mitigations for those risks
Without the proper mindset, you will be a box-checker. You will go through the motions of satisfying regulatory compliance, but you will cut corners and “just try to get it past the FDA”. Your device may hurt people.
Sufficient Technical Skills
Having a great mindset won’t help you if you don’t know enough to even think of a particular risk. If you don’t know what a race condition is, or that memory fragmentation can cause unacceptable timing delays in hard real-time systems, then all the paranoia in the world won’t help you. Occasional failures in consumer electronics may be annoying, but occasional failures in medical devices can be fatal.
You don’t have to, and can’t possibly, know everything. Especially early in your career, you will need to work with more experienced engineers that can mentor you and help you level up your skills. Later in your career, when you achieve competence and then mastery of software development, you will still need to consult frequently with other experienced professionals to review your work and guide you in areas that fall outside of your expertise.
If you manage a team, you must ensure that you have competent engineers in each technical discipline required by the design of your device. You must also ensure that someone is looking at your device from a systems-level view.
Without sufficient technical skills, you will miss things. You may diligently attempt a risk analysis, but some hazards or risks just won’t occur to you. You can easily introduce software bugs that occur infrequently, so they aren’t likely to be caught by testing. Your device may hurt people.
Regulatory Compliance
If you want to sell a medical device in the United States, you must prove to the FDA that it is safe and effective. There are many pathways to regulatory approval, that depend heavily how your risky your device is, but in the end, you must demonstrate to the FDA that you know what you’re doing. It’s not enough to just know what you’re doing. It’s not enough to have developed the safest and most effective device the world has ever seen. You must prove it to the FDA by clearly documenting your development process.
Without regulatory compliance, you won’t sell any devices. Funding exhausted, game over.
Putting it all together
A process is only as good as the people who implement it. Medical device companies can fulfill all regulatory requirements and still release poor quality devices that hurt and kill people.
As a medical device developer, it is incumbent upon you to take responsibility for your work. Lives depend on it. Convince yourself that your device is safe. You should be the most difficult person to convince.