Regulating Dangers

By John McCormick  |  Posted 2004-03-08 Print this article Print

The Therac-25, according to John Murray, head of software regulatory efforts at the FDA, was a "seminal event" for the agency. After the incident, the FDA for the first time turned its attention to the software that had begun to control medical devices.

The FDA has the power to inspect the work of manufacturers; to ask manufacturers to recall products; to have federal marshals seize products if a voluntary recall isnt done; and to ask the courts to issue injunctions against the distribution of products if a manufacturer does not have good manufacturing procedures in place.

To help software manufacturers, the FDA issues "guidance" documents that recommend that manufacturers follow generally accepted software-development standards; keep track of their design specifications; and conduct formal reviews and tests of the code they produce. Arne Roestel, Multidatas president, says the company followed the FDA recommendations.

But there are few specifics. According to the FDAs "General Principles of Software Validation," which went into effect in January 2002, "This guidance recommends an integration of software lifecycle management and risk management activities. Based on the intended use and the safety risk associated with the software to be developed, the software developer should determine the specific approach, the combination of techniques to be used, and the level of effort to be applied."

In the wake of Panama, some industry experts wonder if theres enough oversight of medical-device software-or, for that matter, software development in general. They say the time might be right for tougher regulation.

Software engineer Ganssle, for one, notes that programmers dont need any form of certification or license to work on commercial software, including life-critical medical device software. Yet, he says, "In Maryland, where I live, if you want to cut hair, you need to be licensed."

Besides the FDA, there are few federal agencies policing software-development practices. The Federal Aviation Administration oversees the flight-control software in commercial aircraft. The Nuclear Regulatory Commission (NRC) watches over the software that runs nuclear plants. And thats about it, for oversight of commercial software. The Occupational Safety and Health Administration, the Consumer Product Safety Board and other agencies charged with protecting factory workers, professionals and consumers say they dont worry about the quality of software in tools or toys.

Next Page: What went wrong.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel