
Brian Pate
At SoftwareCPR today, we honor our consultants that are also veterans who served in our US military! John Murray – US Navy Mike Russell – US Air Force Greg Sandoe – US Marine Corps Jordan Pate – US Army Paul Felten – US Army Thank you for your service!
Read More
Understanding OTS and SOUP is very important in every lifecycle stages of medical device and HealthIT software development.  In the late 1990’s, the US FDA first published guidance documentation on the use of Off-The-Shelf (OTS) software in medical devices (or sometimes referred to as “OTSS”).  At that time, OTSS generally accounted for a very small...
Read More
Raffaele Caliri and Jordan Pate have recently updated our 62366-1 Assessment Checklist to align with the 2020 amendment.  This version of the standard has been pared down a bit and looks a lot different than the familiar 2008 version used for so many years.  This checklist can be helpful for internal audits, supplier audits, training,...
Read More
SoftwareCPR August 2020 Newsletter has been published.  FDA news, regulatory updates, new SoftwareCPR content, software recalls, and software warning letters.
Read More
My Software Is a Medical Device … if that’s you, check out this upcoming webinar.  Our very own John Murray will participate in a webinar on August 25, 2020, and join a roundtable discussion with Bakul Patel, Director, Division of Digital Health at FDA.  Shawnnah Monterrey, CEO @BeanStock Ventures will moderate the discussion. You can...
Read More
(July 13, 2020) Amy Sellers, of Tampa, FL, USA, has joined SoftwareCPR as a Regulatory Associate.  Amy recently received her J.D. from the University of Florida Levin College of Law. She has experience in regulatory pathway decisions, including analysis of intended use and product claims, as well as analysis of design changes against US regulations...
Read More
You are likely aware of the CAPA process overall and how it fits in to the quality management system for a medical device manufacturer or supplier.  Just the name itself, corrective and preventive action, describes one of the core values of quality management.  Surely we are all motivated to identify and correct problems and issues...
Read More
FDA released a new guidance document titled, “Nonbinding Feedback After Certain FDA Inspections of Device Establishments, Guidance for Industry and Food and Drug Administration Staff.  This guidance was issued on April 22, 2020.  The background on the guidance states, “Timely nonbinding feedback can help device firms determine whether proposed actions to address inspectional observations are...
Read More
U.S. Food and Drug Administration (FDA) issued this immediately in effect guidance: Enforcement Policy for Infusion Pumps and Accessories During the Coronavirus Disease 2019 (COVID- 19) Public Health Emergency.  FDA believes the policy set forth in this guidance may help address these urgent public health concerns by helping to expand the availability and remote capabilities...
Read More
On February 25-26, 2020 the U.S. Food and Drug Administration (FDA) held a public workshop to discuss the “Evolving Role of Artificial Intelligence in Radiological Imaging.” The comment period for the public workshop is extended to June 30, 2020, in response to requests for an extension to allow stakeholders additional time to submit comments.
Read More
Today (25 March 2020), the Commission announced that work on a proposal to postpone the date of application for the Medical Device Regulation (MDR) for one year is ongoing. The decision was reached with patient health and safety as a guiding principle.  
Read More
Software Glitch over DST Birthdates A news item that reminds us of the importance of software validation, especially in cases where patient records may have birthdates impact by Daylight Savings Time (DST): Paul Eggert commented in The RISKS Digest Volume 32 Issue 16 on a recent issue with delays with hospital lab tests due to software...
Read More
FDA has issued a final order to reclassify: medical image analyzers applied to mammography breast cancer ultrasound breast lesions radiograph lung nodules radiograph dental caries detection all which are post-amendments class III devices (regulated under product code MYN), into class II (special controls), subject to premarket notification. These devices are intended to direct the clinician’s...
Read More
December 26, 2019 Excerpts from warning letter of interest to software professionals: “The inspection also revealed that your … LED light therapy devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage,...
Read More
Kicking off the new year with regulatory and standards updates.  New public courses in 2020!
Read More
FDA is raising awareness among health care providers and facility staff that cybersecurity vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers may introduce risks to patients while being monitored.  Per the FDA notice: “A security firm has identified several vulnerabilities in certain GE Healthcare Clinical Information Center workstations and Telemetry Servers,...
Read More
Going way back to the late 1990’s, FDA had an expectation that safe and effective software would require a well thought out development lifecycle that includes many activities designed to ensure the correctness and robustness of all software that was part of the medical device.  A key guidance document was created known as the General...
Read More
How do I know if my device or my software is a medical device? Watch this helpful video and learn about the 513(g) process as well.  SoftwareCPR can help you plan your regulatory strategy and handle your regulatory submissions.  We would be delighted to help!
Read More
The Institute of Electrical and Electronics Engineers (IEEE) has approved a proposal to develop a standard for safety considerations in automated vehicle (AV) decision-making.  Purportedly, the “forthcoming IEEE standard will provide a useful tool to answer the question of what it means for an AV to drive safely,” according to the lead convener.  With technology...
Read More
ISO 14971 Risk Analysis Identifying safety risks in medical devices is a challenging and laborious process.  The process standard, ISO 14971, is a systematic, total product risk management lifecycle process to identify, control, and evaluate risk, where risk is defined as the combination of severity of the harm (to people, property, or environment) and probability...
Read More
This new draft guidance explains when a Type V DMF may be used to submit information regarding a combination product for which the Center for Drug Evaluation and Research (CDER) has primary jurisdiction (i.e., CDER-led combination product) and the device portion has electronics and/or software that is planned to be used as a platform, that is,...
Read More
The FDA and the NIH National Center for Advancing Translational Sciences (NCATS)/Office of Rare Diseases Research (ORDR) conducted this needs assessment to better understand unmet medical device needs for rare diseases – ultimately to raise public awareness of these unmet needs.  Let this motivate us all to explore, push limits, innovate, and invent.  Onward software...
Read More
URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices The U.S. Food and Drug Administration (FDA) is informing patients, health care providers and facility staff, and manufacturers about cybersecurity vulnerabilities that may introduce risks for certain medical devices and hospital networks. The FDA is not aware...
Read More
August and September 2019 continued a busy trend of regulatory and compliance activity – there were 42 software related recalls!  We also announced our 2020 Public Training Course dates!  Onward to higher software quality – keep pressing forward!
Read More
The 2015 Amendment 1 update to IEC 62304 added a new clause that requires identification of “categories of defects associated with the selected programming technology” and providing analysis and other evidence demonstrating “that these defects do not contribute to unacceptable risk.”  Read a recent article on challenges with using C language.
Read More
For anyone involved in software development, the importance of software requirements cannot be minimized. Software requirements provide the definition and explanation of “what the software should do” and “how the software should behave.” The software engineers and developers use the requirements as input to the software design and coding process. The test developers also use...
Read More
Today, the German Federal Institute for Drugs and Medical Devices (BfArM) identified critical vulnerabilities in the Wind River VxWorks real-time operating system. Affected versions of VxWorks are: VxWorks 6.5 to 6.9 (End-of-Life) VxWorks 7 (SR540 and SR610) VxWorks 653 MCE 3.x (may be affected) They pointed out that VxWorks is used in many medical devices....
Read More
Some thoughts on Requirements … using the General Principles of Software Validation to help. Many times we struggle with creating software requirements and documenting them.  The FDA General Principles of Software Validation-Final Guidance helps set the FDA expectations in this area.  Section 4.1 of the guidance states: “A documented software requirements specification provides a baseline for both...
Read More
Patient Engagement Advisory Committee Meeting to Discuss Cybersecurity – September 10, 2019 On September 10, 2019 the FDA will hold a meeting of the Patient Engagement Advisory Committee. The committee provides advice to the FDA on complex issues relating to medical devices, the regulation of devices, and their use by patients. During the meeting the...
Read More
Dialog+ haemodialysis machines with software versions 9.xx (excluding versions 9.18, 9.1A, 9.1B) – software and hardware upgrade required (MDA/2019/024) Summary Manufactured by B. Braun Avitum AG – Malfunction of the temperature sensor can result in temperature of the dialysis fluid to be more than ±1°C outside the programmed values, which can lead to inadequate treatment....
Read More
Join the FDA and NITRD on July 17 for a Listening Session on Interoperability of Medical Devices On July 17, 2019, the U.S. Food and Drug Administration (FDA) and The Networking and Information Technology Research and Development Program (NITRD) will host a listening session on the interoperability of medical devices, data and platforms. During the...
Read More
The FDA is warning patients and health care providers that certain Medtronic MiniMed™ insulin pumps have potential cybersecurity risks. Patients with diabetes using these models should switch their insulin pump to models that are better equipped to protect against these potential risks.
Read More
As more “software as a medical device” (SaMD) applications are developed and marketed, there has been an increased focus on what activities and documentation are required for compliance with US medical device regulations and applicable ISO standards.  Along with the rise of SaMD has come the emergence of supporting organizational, management, and production activities that...
Read More
May and June 2019 was a busy period for software related recalls – there were 28 recalls as you will see later in the Newsletter. As you plan your software quality assurance activities, we encourage review of published recalls and consider what steps you have in your process to prevent similar problems. Onward toward higher...
Read More
The US Defense Advanced Research Projects Agency (DARPA) have released a solicitation for the “Automated Rapid Certification of Software (ARCOS)” project.  The project goal is to automate system risk assessment based on software assurance.  The project recognizes that current practices in this area rely upon human judgement which can be prone to error but also...
Read More
Another useful reference for establishing a safety culture in your software organization. “The purpose of this Handbook is to define the NASA Safety Culture Program and to provide guidance in the development and implementation—sustainment, growth, and practice—of Safety Culture at the Center level. It defines the NASA Safety Culture Model, describes the Safety Culture Survey...
Read More
This template is conceived as a partial example template for a generic small device with embedded real time control. Explanatory comments are included in << comment >>. Other text is example definition that you should replace with your own text. This is not a complete Software Configuration Management Plan, just a training example to guide...
Read More
A SoftwareCPR example for software release note and revision history.  Software Revision Level History Example
Read More
FDA announced the next phase of its Pre-Cert Test Plan implementation. Pre-Cert refers to the the pre-certification program that FDA’s Digital Health unit has been piloting. The program targets SaMD devices only at this time. This next phase seeks SaMD companies, willing to volunteer, that foresee a De Novo request or 510(k) submission within the...
Read More
This 62304 Conformance Checklist Tool is only available to Premium and higher subscribers.  See our Subscribe page for information on subscriptions. 62304 can provide an excellent framework from which to design a software process for medical device, medical mobile app, and/or HealthIT software.  62304 was created specifically for this type of software - it was not...
Read More
A 2015 article providing a review of the factors that contribute to a potentially insecure environment, together with the identification of the vulnerabilities, and why these vulnerabilities persist and what the solution space should look like.
Read More
Many years ago, Capers Jones, the software metrics guru, analyzed his database of thousands of software projects for the key factors affecting “real” software quality.  “Real” software quality relates to how the software actually performed and how robust in the field.   His list in priority order was: Programmer Application (domain) Experience Programmer Technical Experience Reuse...
Read More
In April 2019, FDA released a draft guidance providing manufacturers and FDA staff with detailed recommendations on assessing the technical performance of quantitative imaging devices and how the documentation from those assessments should be provided in premarket submissions. From a big picture perspective, one should remember the overall goal is to “provide performance specifications for...
Read More
John F. Murray, Jr, will be teaching at our June 4-6, 2019, FDA and 62304 Software course in Boston. Our course is designed to gain an understanding of how 62304 and other standards can be implemented efficiently and effectively while meeting FDA expectations as well.
Read More
The US FDA Center for Biologics Evaluation and Research (CBER) finalized the December 2017 draft guidance titled “Standards Development and the Use of Standards in Regulatory Submissions Reviewed in the Center for Biologics Evaluation and Research” today.  The guidance makes clear that CBER recognizes the value and proper usage of standards and further encourages the...
Read More
US FDA has proposed a new rule to exempt Cytometry instruments used for counting or characterizing cells (a well-understood and mature technology), from premarket notification requirements.  Cytometry instruments used for sorting or collecting cells, and instruments that are used as an automated hematology analyzer, or that perform automated differential cell counts, will still require premarket...
Read More
Today FDA qualified the Osirix CDE Software Module biomarker test for use by medical device developers to identify and enroll patients into Traumatic Brain Injury (TBI) studies.  This is the third qualification of a medical device development tool (MDDT) by the FDA, and the first of a software module biomarker test tool type. A biomarker...
Read More
Medical Device Development Tool (MDDT) Qualification The US FDA has provided guidance on the methods and approaches to qualify a medical device development tool so that medical device manufacturers or sponsors can use them to support the development and evaluation of medical devices.  The manufacturer is expected to ensure the tool produces “scientifically-plausible measurements” and...
Read More
Our March 2019 Newsletter has been published.  Learn of significant regulatory and standards related activity associated medical device software, medical mobile apps, and HealthIT software.  Also you can find dates for upcoming training opportunities.
Read More
For those currently or intending to distribute electronic labeling for their medical devices, be aware that in 2010 FDA issued a guidance entitled “Addition of URL to Electronic Product Labeling”.  This guidance contains a recommendation: “ …that manufacturers include their Uniform Resource Locator (URL) on their electronic product labels in addition to the requirements under...
Read More
1 2 3

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 24-26, 2025 (Boston, MA)

Multiple participants from the same company: If you register 5 or more from the same company before March 15, 2025, receive a special discounted registration of $1999 per person.  These registrations may be transferred to another person at any time. Email to register and secure the TEAM discount.


For private, in-house courses, please contact us.

Email for more info.



Being Agile & Yet Compliant (Public)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for registration!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

3 days virtual (Zoom) with group exercises, quizzes, examples, Q&A.

Lead Instructor: Mike Russell

Next public offerings:

  • Americas: 11-13 February 2025
  • EU/Eastern Europe/Middle East/Africa/Atlantic/eastern South America: 18-20 February 2025
  • Southern Central Northeastern Pacific: 24-26 February 2025
See our post titled: 1st Quarter 2025 Agile Compliant Courses Scheduled


Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.