Good Planning Avoids Costly Mistakes with Medical Devices and Medical Device Software

How do some medical device firms manage to trip over their own feet? Let us count the ways: trying to get away with “good enough,” leaving risk management and verification & validation for later, and earning a reputation for sloppy work. 


Since everyone is a patient eventually, no one wants to believe that medical devices are subject to the same design and implementation flaws that sometimes plague other electronics and software. To prevent that, the U.S. Food and Drug Administration (FDA) regulates the medical device industry. The regulatory power ranges from pre-market notification and approval of medical devices to compliance with regulations for the design process itself.


Under its Quality System Regulations to assure safe and effective devices, the FDA requires “design controls” and “validation” as part of the product-development process. These are really nothing more than good engineering practice camouflaged as regulations. These practices enable medical device manufacturers to enjoy the benefits of a well-defined engineering process: shorter time to market, more-maintainable and more reliable products.


FDA statistics show that 90 percent of all software related product recalls are related to design flaws. (The remaining 10 percent had to do with managing the configuration such as shipping the incorrect version.) While electronics can fail due to the reliability, stress, and wear of individual components, field failures today are more often caused by faulty design and development. That’s why regulators are so concerned with the design process and the product-validation process.


The FDA requires manufacturers to validate that a medical device’s specifications conform to user needs and intended uses, and that those specifications can be consistently fulfilled. “Validation” in the FDA’s definition is the entire collection of activities that provide objective evidence that a device works the way it’s supposed to. Besides testing, these activities include risk analysis, risk management, configuration management, control of the design and development lifecycle, design reviews/ inspections, plus verification activities at each phase of the development lifecycle.


Risk analysis and risk management activities are crucial to the design of safe devices, as detailed in industry standards such as ISO 14971. They involve identifying risks and reducing risk by reducing the potential severity or probability of a failure by engineering risk control measures into the product design. This process iterates until the residual risks are reduced to an acceptable level. 


The biggest mistake a medical device designer can make involves the engineering process and regulatory control of the design and development process. It’s also the easiest mistake to avoid.


Many medical device companies are staffed with engineers from non-medical device industries who aren’t convinced that the engineering process for medical devices really does need to be strictly defined and followed. Unfortunately, when design controls are ignored, the lack of process and control negatively impacts the quality of a design. Risks taken with the quality of the device translate to risks for the end users. 


Design engineers sometimes resist a well-defined development lifecycle with scheduled reviews. They refuse to design products through requirements and specifications, and insist on composing at the keyboard as they start writing software for designing circuits on the first day of the project. This disorganized lack of process is destined to many iterations as the design narrows on the final solution and makes verification and validation by independent testers nearly impossible. The regulatory requirements are good engineering practice! They not only satisfy regulatory compliance, but also produce better-quality, more maintainable products faster. 


Often, other engineering groups follow the initial “random walk” approach. Near the end of the project, quality and regulatory engineers descend to prepare documentation for submitting the device to the FDA. If a process was not predefined or was not followed, they “retro-document” the project to make it look like it was managed under well defined design controls. The engineers resent this phase and consider all the documentation a waste of time. They’re right! If designs are not created from requirements, or if software and circuits aren’t implemented from designs, then the value of having those documents (for other than regulatory purposes) has passed.


Too often, there is a flurry of activity at the end of a project. The one and only design review is hastily organized. An afternoon-long Failure Modes and Effects Analysis (FMEA) meeting is held to satisfy risk management requirements. The “final release” is handed off for some quick testing so the product can get to market. Packing all these activities in at the end of the project to satisfy the regulations simply ignores the intent of the regulation: to improve the quality of the product. All three of these activities (reviews, risk management, and verification testing) should be taking place during all phases of the development lifecycle.


Engineering quality is seldom more critical than in medical devices. A failure in the quality of the system can lead to harm for patients and other users. Recalls can damage the credibility of the company and cost millions. Regulatory action against a company can include fines, additional controls on the company, loss of time and extra costs while processes are implemented after the fact. They can even include personal fines and jail time for individuals found to intentionally disregard the regulations, alter records or data, or cover up infractions.


The medical device business is a serious business and the FDA won’t tolerate violations. Get to know the regulatory requirements and comply with them. Remember, it could be you, your spouse, your parents or children who will need that device someday. Following a controlled process makes both engineering and business sense—and is simply the right thing to do.