[SystemSafety] The FAA Software Precertification Pilot Program

Brian Pate brian at softwarecpr.com
Wed Sep 28 13:56:05 CEST 2022


Hi Derek,

The premise of the original pre-cert program from FDA was to explore if the US medical device software clearance or approval process could move from the current “premarket review - “show us your quality assurance argument,” to a “software update process review - show us how you will assure quality for a future software release stream.”  Under current US regulations, significant changes to a medical device, including software, must be cleared or approved by FDA prior to release to users (premarket review).  This review can be lengthy (4 months or more).  Traditionally a manufacturer might only update software in a medical device every 2 years or so, but of course these days manufacturers want to release new software versions very frequently - and the premarket review process is seen as an unnecessary hurdle.

The pre-cert program explored whether one could “certify” the software development process itself and then expect the software releases to possess the required quality level.  I believe that the current US CFR simply did not have the framework to allow releasing changes to medical devices, with potentially new intended use and new risks, without the premarket approval process.

Some feel that changes need to occur to the US regulations to accommodate frequent release software; others believe the regulations are fine and FDA can just use “Guidance Documents” to advise on what types of software changes warrant premarket review versus changes that do not.  For example, manufacturers should be encouraged to push cybersecurity patches quickly without premarket approval - and use an “annual report of changes” type approach.  Likely there may be other changes that fit the “no premarket review needed” path.

Obviously the unintended effects of a software change are very important when one considers “simple changes.”  IEC/TR 80002-1 addresses this a bit (and is a recognized consensus standard with FDA) but I believe there are large discrepancies in skill sets with medical device software development staff in applying architectural and design strategies to minimize impact from software changes.

​Brian Pate
Crisis Prevention and Recovery, LLC, SoftwareCPR®


On Sep 27, 2022, at 5:00 PM, Derek M Jones <derek at knosof.co.uk> wrote:

All,

I have just been looking through
"The Software Precertification (Pre-Cert) Pilot Program:
Tailored Total Product Lifecycle Approaches and Key Findings"
https://www.fda.gov/medical-devices/digital-health-center-excellence/digital-health-software-precertification-pre-cert-pilot-program

which appears to be a discussion document that
is free of any "key findings", although it does
say that: "FDA identified 250 KPIs and metrics."

Is the issue my lack of knowledge of FDA-speak,
or is the intent to be wishy-washy?

This report from 2019 is more substantial
"Developing a Software Precertification Program:
A Working Model v1.0"
https://www.fda.gov/media/119722/download

-- 
Derek M. Jones           Evidence-based software engineering
blog:https://shape-of-code.com
_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE
Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20220928/2ec31b7c/attachment.html>


More information about the systemsafety mailing list