A framework for assessing the use of third-party software quality assurance standards to meet FDA medical device software process control guideline's

The proliferation of medical device software (MDS) potentially increases the risks of patient injury from software defects. The US Food and Drug Administration (FDA) in 1998 updated its MDS regulations, moving away from a product-based regulatory approach toward one more focused on quality assurance processes. However, what constituted acceptable software quality assurance (SQA) processes and whether regulations could be met by the use of third-party standards was not specified. The FDA has implicitly sanctioned using third-party SQA audits in submissions for accelerated review of modifications of existing MDS, but it has neither approved nor rejected their use in submissions for new MDS approval. Suppliers must assess whether adopting a third-party SQA standard assures full or only partial conformance with FDA requirements because they remain potentially liable for damages resulting from software defects. However, substantial differences in the philosophy and organization of FDA requirements and third-party standards make this assessment difficult. This research develops a framework to assess whether third-party SQA standards can meet FDA requirements and then employs the framework to determine if ISO 9000-3 or the Software Engineering Institute's Capability Maturity Model is sufficient to meet such requirements. The authors' research analyzes four SQA categories specified by the FDA guidelines: process management, requirements specification, design control, and change control. Analysis indicates that while neither third-party SQA standard by itself fully meets FDA requirements, either standard is worth adopting and is approximately equivalent in its usefulness