[tokenadult]

My son the hacker used to work in the medical device industry as a summer employee while he was a student. The code he wrote for a medical device user interface was to be submitted for a line-by-line code review by the FDA. He estimated that the product would actually come to market more than three years after the summer he worked on it. And maybe that is what you are encountering--the person at the company who built in the bugs you have discovered has moved on, and doesn't work at the company anymore, and the other employees there are trying to figure out how to debug that old code and fix the problem. (Similarly, my son groused about the code in the device he was working on, which was acquired by his company from another company that had originally developed the device.) Always comment your code. You never know how long after you wrote it someone else will have to fix it, especially if the code is embedded in a medical device.

[lostlogin]

Thanks - this has been in the back of my mind and is a reason I'm trying to be patient. A 2 line message saying what was happening would remove my frustration. Usually I get a corporate speak reply with a suggestion it is my fault though. What does the FDA code review do? If it isn't catching bugs that take the scanner offline for hours at a time, what is the point?

[kohanz]

I've worked on several FDA-regulated products and have never had the FDA review my code. I would guess this only happens in extenuating circumstances. The FDA does not have the resources to do this for most products out there.

We are required, however, to review our own code and maintain records of those reviews.

[vardump]

Exactly. FDA doesn't review code!

If there are complaints, FDA does sometimes review is the mountain of device related documentation. Design, assembly, maintenance, end user manuals, etc. Checking the paper trail. Is the paperwork done correctly, signed by a competent employee and reviewed by appropriate persons. There also needs to be watertight trail of employee training. Failure to have that does not end well!

Traceability (both physical and code) is another thing you better get right as a medical company. You need to know where, when, etc. each major component of the device came to be.

Medical companies literally generate so much paperwork, that separate storage facilities are needed for it. While you'd obviously have it in digital format for yourself, all of it is also printed out and signed.

[laurenstill]

Compliance officer for a med device company, can confirm. Even vendor audits don't look at code, just SOPs and spreadsheets documenting that you have the processes in place to log the shit out of everything.

[snom380]

There's a difference between bugs that cause downtime and bugs that endanger the life of the patient, and I think the FDA is primarily concerned with the latter. I would think a bug that caused the wrong image to be captured and could cause doctors to make the wrong decisions would be taken very seriously.