[kohanz]

I've worked on several FDA-regulated products and have never had the FDA review my code. I would guess this only happens in extenuating circumstances. The FDA does not have the resources to do this for most products out there.

We are required, however, to review our own code and maintain records of those reviews.

[vardump]

Exactly. FDA doesn't review code!

If there are complaints, FDA does sometimes review is the mountain of device related documentation. Design, assembly, maintenance, end user manuals, etc. Checking the paper trail. Is the paperwork done correctly, signed by a competent employee and reviewed by appropriate persons. There also needs to be watertight trail of employee training. Failure to have that does not end well!

Traceability (both physical and code) is another thing you better get right as a medical company. You need to know where, when, etc. each major component of the device came to be.

Medical companies literally generate so much paperwork, that separate storage facilities are needed for it. While you'd obviously have it in digital format for yourself, all of it is also printed out and signed.

[laurenstill]

Compliance officer for a med device company, can confirm. Even vendor audits don't look at code, just SOPs and spreadsheets documenting that you have the processes in place to log the shit out of everything.