FDA endorses open source

[John S. Gage]

There, I knew that would get your attention.

I spoke today at some length with John F Murray at the FDA who is the lead author of the new Guidance.  He said quite explicitly that the FDA regulations do not apply to standard patient record keeping systems.  He referred me to HIPAA for guidance about that.

However, and much more interestingly, I asked him if the FDA had discussed open source software.  He said they had.  He said the upshot of their discussions was that for anything except "high risk" medical devices, that Linux was an acceptable operating system.  When asked why Windows would be acceptable for a "high risk" device but not Linux, he said that the FDA has access to Windows source code (hence, to the FDA, Windows is to some extent open source) and their validation procedures.  I have the feeling that the thing that they don't like about Linux is that even though it is open source, they think it may be a moving target.  For example they lead off their guidance by saying:

The FDA�s analysis of 3140 medical device recalls conducted between 1992 and 1998 reveals that
242 of them (7.7%) are attributable to software failures. Of those software related recalls, 192 (or
79%) were caused by software defects that were introduced when changes were made to the software
after its initial production and distribution.

These concerns could clearly be met by simply taking a "stable" version of an open source system and sticking with it.

My impression is that the FDA is pretty enlightened about all this.  We have just had an epiphany about regulation in the US (Enron) and I think we should realize that regulation is a good thing.  Apparently Mr. Murray was at a meeting with manufacturers of laser eye surgery devices and asked what the device did when Windows crashed.  They hadn't thought of that.