An open marketplace for the verification and validation (V&V) of software solves a serious problem for medical device manufacturers. That is, how to create the software, tools and other infrastructure necessary for the manufacture of safe and effective medical devices, while meeting the requirements of government regulators around the world. The open marketplace approach proposed in this paper shifts this burden from the public to the private sector.
The new marketplace would satisfy the need of companies that do not have the capabilities or resources to do the job themselves. Furthermore, an open V&V marketplace would increase the rate at which new products are introduced, while eliminating a great deal of waste in the form of redundant code development, verification labor and other infrastructure. This solution is sorely needed in the medical device community where long (and costly) product development cycles are caused by severe testing requirements and regulatory overhead. Currently this need is met on an ad-hoc (piece meal) basis, which is both costly and inefficient.
Verification and validation (V&V) procedures are widely used in the medical device industry to determine if software works correctly and meets the needs of the patient. It's a process that ensures the quality of embedded software in devices ranging from electric toothbrushes to heart defibulators. The end result is fewer injuries and deaths that are caused by software malfunctions. Unfortunately, the V&V process is time consuming, expensive and well outside the abilities or capabilities of most medical device manufacturers. This situation is exacerbated by new regulations being imposed by the US and other governments around the world.
This article presents a roadmap for the solution of this industry wide problem by using open standards development and competitive marketplaces. The size of the medical device V&V market proposed here is estimated to be US $40+ Billion US over the 5-year period from 2005 to 2010. This new market would attract a myriad of new and existing companies to provide innovative services and technologies, thereby fostering growth in the industry and the economy as a whole.
Regulatory Basis and Need
Most medical device companies would agree that the V&V effort adds value to their products and services. Traditionally, this effort is done on a voluntary basis to ensure the efficacy and quality of their products. However, implementation is neither universal nor consistent, and many governments around the world are now imposing V&V regulations and standards on the industry.
Regulatory agencies differ on their V&V regulations. A quick summary of agencies and regulations in the United States include:
US Food and Drug Administration (FDA):
- 21 CFR part 820: design validation and production controls.
- 21 CFR part 11: electronic records
US Health and Human Services Administration (HHS):
- 45 CFR part 160 & 164: privacy standards (HIPPA) The regulations do not specify how the software is used. They apply equally to operating systems, applications and integrated circuit designs.
New Competitive V&V Marketplace for Medical Devices
The major incentive for creating a competitive V&V marketplace is to reduce the regulatory burden placed on small and midsize companies. This is one reason why small, innovative medical device companies fail in their infancy. Simply stated, the regulatory process takes so long and is so expensive that there are few companies able to survive the five or six years needed to bring a new product to market. Part of this burden is the software V&V process. A competitive marketplace would allow these companies to outsource the V&V activity and concentrate on their core competencies. As shown in the chart, the V&V task is broken up into four areas. The top block (called Acquirer Program Management) is the "buyer," who purchases from vendors in the other three blocks. The "sellers" include:
- Development Effort
- Verification and Validation Services
- Secure Code Storage Services
Currently, these functions are provided to the medical device community on a proprietary, ad-hoc basis. Unfortunately, this also means that they are not very efficient and are quite expensive to operate and maintain. However, when the principles of community software standards and open marketplaces are applied to the problem, then these three new competitive markets are created.
The main advantage to this strategy is that medical device manufacturers can shop for V&V services from a list of competitors, thereby reducing cost and increasing innovation. It also allows many companies to share common infrastructure in areas such as software development, tools and secure data storage.
This strategy is directly analogous to a farmer's market. At one level the farmers (suppliers) are collaborators because they agree to meet at the same time and place and share the costs of infrastructure such as advertising and parking. However, at another level they are fierce competitors, all vying to sell their wares. This drives down prices and makes the market more attractive to buyers. The end result is a win-win situation for both the buyer and the seller.
A farmer's market analogy is appropriate because of the low barriers to entry and wide variety of goods and services. This is a key concept in market development because farming, like medical devices, requires special skills, tools and know-how. Sugar beets and salmon are both food, but they require radically different tools and techniques to produce. On the same token, heart pacemakers require radically different technologies than MRI machines.
This means that small, specialized companies can operate alongside larger ones. This is an important concept because medical device companies generally perform their own product development in-house. An open V&V market would allow them to outsource part of the regulatory process so that they can concentrate on their core competencies.
Development Market
A quasi-open software development market exists today for medical devices. In most cases this work is done in-house, but in some cases it is outsourced. The open V&V marketplace proposed in this paper does not have a significant impact on this situation.
V&V Service Market
An open verification and validation (V&V) service market does not currently exist in the medical device software industry. However, a new competitive V&V service market is created when open technical standards and business practices are applied to the problem. These would operate as software certification companies, using business models and practices that are similar to established firms such as UL (Underwriters Laboratory), TUV or CSA (Canadian Standards Association).
For example, UL currently offers certification and standards services for Environmental and Public Health (EPH) products. Products they certify may carry the UL 'EPH' listing mark which indicates conformance to their standards for foreseeable hazards.
This same methodology could be applied to a medical V&V service market. For example, if the new market existed and UL wanted to get into the medical V&V business, then it would offer these in much the same way that it currently offers its EPH services. Some adjustment to their overall business-operating plan would be needed (such as technical capabilities and insurance coverage), but these would be minor problems that are common to every new area of certification.
Secure Code Storage Service Market
A secure code storage service market does not currently exist in the medical device software community. However, when open technical standards and business practices are used, a new and competitive secure code service market is created. These would maintain and distribute validated software using either the Internet or physical media.
For example, Intraware (www.intraware.com) currently offers secure software authentication, analysis, notification, distribution and installation services over the Internet. Various fixed-fee and subscription services are possible under this scheme. Private and public distribution plans would also be possible. Today, there are numerous companies that provide compliant, secure data storage under 21 CFR part 11.
Intellectual Property Issues
The V&V Service markets described could use both proprietary and non-proprietary software. However, each type of code would be handled under different licensing terms and other contractual arrangements.
Open Source vs. Closed Source Software
The V&V process is most effective when open source software is used. Here the term 'open source' means that the original code files are available to all of the parties in the V&V process. This is very important because software validation uses a technique called "white box inspection," whereby the source code is checked visually and with automated tools.
This is opposed to "black box inspection," which is performed on closed source software. Here, the term "closed source" means that the software is available only as a binary (object code) image that can be read by machines, but not humans. It's called "black box" because the internal operation of the software can't be viewed directly, and must be validated under special test conditions.
Proprietary software companies generally deliver their code as closed source software to prevent piracy. Unfortunately, this makes it much more difficult (or impossible) to validate the code. In general if you can't see it, then you can't verify it.
In some cases the source code for proprietary software can be shared. However, this requires special contractual provisions that are usually not offered by the vendor. Most proprietary software suppliers are unwilling to share their source codes because the practice degrades its value.
Software Sharing, Licensing and Business Model
The V&V process is most effective when software is freely shared between all of the parties. In many cases this can't be done because a license agreement prevents the device manufacturer from obtaining the source code and giving it to others. This is especially troublesome when products are shipped to foreign countries. For example, medical devices manufactured in the United States must conform to regulations controlled by the U.S. Food & Drug Administration (FDA). If these same devices are shipped to other countries, then a foreign regulatory body may have to validate the software under a different set of procedures. In these cases the local regulator would need to inspect and approve the software as well.
This creates a significant piracy problem when proprietary software is used. If the source code is handled by many agencies around the world there is always the possibility that it will 'leak' out of the system. Once that happens the value of the software is degraded or destroyed altogether. In countries with weak intellectual property laws or enforcement (e.g. China) this is tantamount to destroying the value of the software.
Open and sharable software licenses have distinct advantages in this situation. However, to combat the piracy problem the software developer generally adopts what is called the open source business model. Red Hat, Inc. and IBM are examples of companies that have adopted this model, where software is provided as a service rather than as a product. One major complaint of the open source business model is that a company's proprietary technology is lost as soon as it is shared. That's because others can freely use the 'sweat equity' that is encapsulated into the code by the original developer. This is a major hindrance to the acceptance of the open source model.
The V&V market overcomes this problem with a very unusual technique, whereby uncontrolled ('wild') documents are converted into legal documents by creating a verifiable audit trail. Once software and data has been validated it is placed into secure storage where the "owner" of the file (i.e. the one who controls the electronic access codes) can charge fees for reading and using the data.
For example, under most regulations (e.g. 21 CFR Part 11) software is verified, validated and placed into secure storage. Paper or digital signatures are required during the process to create a chain of custody. Once placed into secure storage a service company can charge fees for accessing and using the validated files. If for some reason the chain of custody is lost (e.g. by leaving the code in an unsecured location), then it is no longer validated and is useless to the medical device manufacturer. This means that the inherent value of the software is not in the code itself, but rather in the audit trail that is created by the V&V process.
The audit trail created by the V&V process contains significantly more information than the validated source code. Usually, software is attached to a design history file (DHF) that contains other data such as:
- Who developed the code (where was it obtained)?
- Who participated in the V&V process?
- Time stamp(s).
- All modified or deleted records (e.g. log file).
- Controls (e.g. 21 CFR 11.10(e-l))
- Electronic signatures TMD
This is the end of the first part of a two-part article. Updated in 2005, it is copyrighted 2004 by Silicore Corp.
Explore the September 2005 Issue
Check out more from this issue and find your next story to read.
Latest from Today's Medical Developments
- Best of 2024: #9 Article – Strategy Milling combines old and new for precision dental restorations
- Best of 2024: #9 News – Global robotics race
- Best of 2024: #10 Article – Designing medical devices for every user
- Best of 2024: #10 News – 4 predictions for 2024: AI set to supercharge robotic automation
- Children’s National, FDA collaborate to advance pediatric device regulatory tools
- LK Metrology’s eco-friendliness CMMs
- Two patents for microfluidic valves
- AMADA WELD TECH’s blue diode laser technology