I read an interesting article in the Economist’s Technology Quarterly of June 2nd-8th of 2012, p. 17-18, on open source medical devices software. Let me summarise for you: the article starts by showing all the benefits of medical devices software that is developed using open source models, and there are many. For example, security of high risk medical devices that might be hacked at a distance to be used against the patient could be much improved if many creative minds with different points of view work collaboratively on software for devices.
The article concludes however that open source has no place in the current regulatory environment and points only to FDA regulation for that conclusion. It quotes a pessimistic open source protagonist who states it is impossible to get open source through the regulatory process but that “It may even happen (…) in parts of the world where strict regulation does not exist.” I would rephrase: where inflexible regulation does not exist. As you know, I am an outspoken protagonist of the European CE system because I am a believer in its flexibility and have defended this against attacks to the effect that it would result in unsafe devices entering the market, for example here, here and here. In my view, the EU CE system is actually ideal for delivering open source software to the devices market, without compromising on safety or regulatory rigour in the least.
But first, why does the Economist assume that currently no open source is used in the manufacturers’ own closed systems? That is a big misconception. Manufacturers often do not even code their own software themselves entirely but often outsource that almost entirely. The most efficient way to build software is to use well established open source elements for standard operations and that is how even the most closedly developed device software is built, whether by manufacturers themselves or the aprties to whom they outsource. So, open source is in approved proprietary software already. I have evaluated many critical software systems in due diligence that were dependent on open source elements for their safe and effective operation, and that is perfectly OK because open source software is not necessarily bad software. Often it is even better.
So back to the CE system. Crucial to the manufacturer’s burden to prove the claimed safety and performance is risk management as part of the software design, among others using the EN 62304 standard. Risk management is a rational and transparent process that can very well include rationales about why it is better to use open source modules or code instead of home coded. Especially where a manufacturer can document that open source has a long standing development history, this may well make the use of open source preferable to proprietary code in terms of risk management. In addition, open source would be a plus from a clinical evaluation perspective. In the EU system the manufacturer must apply a cyclical process to keep validating its device to the state of the art, called clinical evaluation. If you use open source software that stems from an active community, you suddenly have a lot of free extra eyes assisting you in that process and helping you to improve the software. The only setback – for some – would be that an open source community normally asks that you share your improvements too and manufacturers are ot always willing to do that.
One caveat with open source that I see are the regulatory obligations of the manufacturer with respect to corrective action. It is obviously a lot more difficult to unilaterally make corrections to open source software as a corrective action in response to an incident. On the other hand, if a manufacturer is actively engaged in the developer community for that open source software, implementing corrective action may even go faster because everybody has an interest to make the code better. Such problems can be remedied also to an extent by using open source only for modules that could be replaced by other ones as a plan B. Furthermore, you have to be mindful of the license for the use of the open source software. There are copyleft and viral license models out there in the market that are very unattractive to use from a legal perspective.
So, to conclude: I do not share this pessimistic view about missed opportunities and insurmountable legal barriers for open source in devices at all for the EU system. Of course, you may need to rationalise why the use of open source software in a given case is a good idea, but you also have to manage risks for own developed software. It may actually be easier in some cases to show that existing open source software is more robust than what you could hope to develop in-house. Theoretically that means that for the EU there is no additional regulatory burden. The only burden I could imagine would be regulator or notified body bias that open source software is inherently less safe than own developed software. That type of bias is not justified as it is not evidence based and can be challenged.
I can readily envisage manufacturer supported open source communities for medical devics software that address all of the risks I mentioned and actually support the development of shared standards rendering the devices more interoperable as more manufacturers join a particular open source initiative. That would actually lead to safer and more effective devices. And it’s allowed in Europe.