MD+DI Online is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Originally Published MX January/February 2003


Return to Article:
The Medtech Outlook for 2003


Corey Lavinsky is CEO of Growthink Research (Venice, CA); he can be reached at 310/823-8346 or via e-mail at 

Patrick J. Driscoll (not shown) is president of MedMarket Diligence LLC (Foothill Ranch, CA); he can be reached at 949/859-3401 or via e-mail at 


Thomas J. Gunderson is senior research analyst for cardiovascular/diversified medical technology at U.S. Bancorp Piper Jaffray (Minneapolis); he can be reached at 612/303-6467 or via e-mail at


Dr. Christa Bähr, CFA, is head of the life science team and Dr. med. Jochen Badouin is a financial analyst for healthcare/clinics in the institutional equity research division of DZ Bank (Frankfurt, Germany). They can be reached at and and, respectively.


Copyright ©2003 MX

Correlating Peel and Burst Tests for Sterile Medical Device Packages

The ability to mathematically relate peel and burst test data could allow results to be taken more rapidly to production and quality control personnel.

Peel and burst tests are used by both users and suppliers of pouches to perform incoming and outgoing inspections. They are also used to validate the sealing parameters of a package and as a process control tool. Users and suppliers alike have an interest in clarifying the relationship between peel and burst tests.

Pouch users typically have developed specifications for tensile peel seal strength that are used when testing medical packaging seals. With a model for correlation between peel and burst tests, the faster burst test could be used to update such specifications without requiring an extensive revalidation program. This would make sampling and testing less expensive by reducing labor and material usage costs.

The authors used a Test-A-Pack model 2600 and a pneumatic restraining fixture for burst tests.

Because pouch suppliers' customers would prefer to use only one package-testing method, suppliers need to demonstrate that the method they use will correlate with the customer's method. Additionally, if the burst and peel tests can be mathematically related, pouch suppliers can use the faster burst test technique to provide peel test values directly to production and quality control personnel. In this way, corrective action can be taken almost immediately to prevent the production of pouches that are out of specification.1 This will increase productivity and, at the same time, reduce labor and material costs.

The authors have developed three mathematical models and a procedure for using them. With these tools, peel seal strength can be calculated from burst data or burst strength from tensile peel strength measurements. In a study of the models, measured strengths were in the range of 1–5% of calculated values. Thus, the authors recommend the procedure as a way to correlate peel tests and burst tests.

The peel and burst tests are the most commonly used methods for measuring the seal strength of peelable flexible packages. The peel test measures the force required to peel apart a 1-in.-wide sample strip cut from the seal material. This test has some disadvantages. It is time-consuming because many strips have to be cut from a package in order to get a true measure of the seal strength. The sample strips may not contain a weak spot that would be present in the pouch. If only a small number of strips from a given package are tested, some substandard seal surface may be overlooked.2

There is some controversy over whether to use peak or average force as a value for seal strength in the peel test. Peak force is the maximum force required to separate the sealed webs, and thus the maximum force created during peeling. Average force is calculated by dividing the energy, which is the area under the force-deformation curve, by the total length of peel. Barcan believes that the average force is a better measure, providing a more comprehensive picture of seal strength, because it considers the entire sample strip of seal and not just an instant during peel.3

There is also some debate regarding how to conduct the test. Testing can be performed using a supported tail or an unsupported tail. According to Earl Hackett, in order to obtain good test repeatability, the peel angle of the two substrates must be maintained throughout the measurement.4 An unsupported peel test, is preferred by others who suggest that it more closely emulates real-world conditions.

The burst test consists of pressurizing a package until it breaks. In pouches with peelable seals, the break typically occurs as a separation of the seal rather than as a rupture in the material. The pressure required to break the package is recorded and interpreted as an indication of the seal strength. The burst test can be performed with or without the use of restraining plates. When plates are used, the deformation of the pressurized package is minimized.

The burst test has gained acceptance in the medical device and medical packaging industries because it is easier to perform and can be completed in less time than the peel test. It also provides an evaluation of the entire package system, not only the seal. By pressurizing the package with air, burst testing subjects the entire sterile package system to typical stresses that the package encounters in the manufacturing, distribution, and use environments.5


Figure 1. Cross-sectional edge view of pressurized pouch in a restrained burst test.
(click to enlarge)

Theoretical equations, based on force diagrams, have been developed in order to explain a pouch's behavior during a restrained burst test. In Figure 1, D represents the plate separation, and L is the length of the pouch under test. This dimension is shorter than the restraining plates. The restraining plates apply pressure to the pouch over the contact area (length [L] times width of the pouch [W]).

To find a correlation between peel and burst tests, one must equate a force acting on a surface (burst test) with a force acting on a seal line (peel test). Good agreement was found by Wachala and Yam for paper/plastic pouches and meals-ready-to-eat (MRE) pouches, respectively.2,6 Yam reported that good correlation was obtained for MRE pouches when tensile peel rate was controlled to ensure that it was the same as the rupture (or peel) rate in burst tests.

Yam's theoretical formula (P = 2S/D where P = burst pressure, S = strength, and D = plate separation ) was studied by Feliú-Báez for Tyvek/plastic pouches.7,8 The tensile peeling times were controlled within a range of 1–8% of the burst times. The results showed that the formula P = 2S/D overestimated the actual burst pressure; the overestimation increased at smaller gaps. The overestimation of burst pressure was 22–49% at 0.50-in. plate separation.7

Figure 2. Chevron seal pouch: (a) flat (b) pressurized.
(click to enlarge)

The formula P = 2S/D does not account for package size. Feliú-Báez found that package size has a significant effect on the restrained burst pressure.8 For that reason, it was hypothesized that the model accuracy could be improved by accounting for the package's dimensions. A force diagram analysis was performed on the entire pouch in order to develop a new model that accounts for package size. Figure 2 (a) shows the original length and width dimensions (LO and WO) of a flat pouch. Figure 2 (b) shows the pouch after it is pressurized in a restrained burst test. The dashed rectangular patch in Figure 2 (b) represents the flat area that is in contact with the restraining plates. The dotted intersecting lines represent the original length, LO, and original width, WO, of the pouch.

Figure 3. Force diagram of a center section of a restrained pouch with original, contact, and pressurized widths (WO, WC, and WP, respectively).
(click to enlarge)

Figure 3 illustrates a force diagram of a pressurized pouch. It shows the original width of the pouch, WO; the width of the rectangular patch in contact with the restraining plate, WC; and the width of the pressurized pouch, WP. It is assumed that the unsupported outer border of the pouch deforms into a segment of a circle and that the material does not stretch much.

The original dimensions of the flat pouch are LO and WO. The length and the width of the rectangular patch in contact with the restraining plates are the following:

LC = LO – 2/4(2pD/2) = LO – (pD/2) = LO – 1.571D (1)

WC = WO – 2/4(2pD/2) = WO – (pD/2) = WO – 1.571D (2)

The length and the width of the pouch under pressure, with gap D, are the following:

LP= [LO – (pD/2)] + 2(D/2) = LO – (p/2 – 1) D = LO – 0.571D(3)

WP= [WO – (pD/2)] + 2(D/2) = WO – (p/2 – 1) D = WO – 0.571D(4)

The plate balances the pressure acting on the rectangular patch, and the seal balances the pressure acting on the unsupported perimeter, such that

S [perimeter] = P [working area]

Where working area = total pressurized area – contact area,

S [2(LP + WP)] = P [(LP * WP) – (LC * WC)]

Using Equations 3 and 4 for total pressurized area and perimeter and Equations 1 and 2 for contact area,

P = 2S/D * [(LP + WP) / ( LO + WO c 2.142D)]

P = 2S/D * [(LO + WO – 1.142D) / (LO + WO – 2.142D)] (5)

The term within the square brackets in Equation 5, (LO + WO – 1.142D) / (LO + WO – 2.142D), will be referred to as the correction factor (CF).

The correlation obtained with Equation 5 will not be better than P = 2S/D. Because the CF is a quantity greater than 1, it will predict a higher burst pressure. Thus, it will overestimate even more than P = 2S/D. The fact that the correlation is not better even when the package size is considered suggests that other factors not included in the model can affect it. For example, the model does not account for wrinkles formed in the seal area and the amount of stretch that occurs in pouch materials during a restrained burst test (sometimes called ripple effect). In addition, if the actual geometry of the working area when deformed during a restrained burst test is not semicircular, as assumed in the model, deviations will occur between the actual and predicted burst pressures. All of these factors are difficult to measure and derive with the force diagram analysis.

Because the new model described in Equation 5 did not improve the predictive accuracy, it was decided to use an empirical approach. Multiple-regression analysis was used to fit actual data to a power law model. The following paragraphs provide an explanation of the methodology used and the results obtained.9

Experiment Design

The materials tested in the experiments included a number of peelable pouches from two manufacturers. These were divided in three categories:

  • Uncoated 1073B Tyvek/polyester poly laminate from supplier A. Sizes tested were 3.25 x 7.25 in., 5.25 x 9.125 in., 7.25 x 11.125 in., 9.25 x 14.125 in., and 11.25 x 15.25 in.
  • Uncoated 1073B Tyvek/PET/LDPE laminate from supplier B. Sizes tested were 3 x 11.375 in. and 10.625 x 15 in.
  • Uncoated 1059B Tyvek/polyester poly laminate from supplier A. Sizes tested were 5.75 x 9.125 in. and 9.25 x 14.125 in.

The equipment used in the experiments included the following:

  • A Test-A-Pack Model 2600 burst tester (Carleton Technologies) with pneumatic open package fixture F100-1600-2 and aluminum restraining fixture (15 x 20 x 0.75 in.) for restrained burst tests.
  • An Instron Model 4201 Universal Testing Instrument with a 1-kN (200-lb) load cell and an x-y recorder for peel tests.
  • A stopwatch (±0.001 second resolution) for measuring the burst and peel test completion times at ASTM settings.

Testing Procedures. The pouches were conditioned at ASTM standard test conditions for 48 hours prior to testing. The following procedures were then performed.

A restrained burst test using an open package fixture was performed according to ASTM F1140-96 and ASTM F2054-00.10,11 Parameters under study were the flow index (1, 5, and 9) and plate separation (0.5 and 1.0 in.). The sample size used for each flow-index/plate-separation combination was 10 (n = 10). Therefore, a total of 60 pouches of each material combination were burst tested (3 flow values x 2 plate separations x 10 samples per flow-index/plate-separation combination). Power calculations were used to determine the sensitivity of the experiments when using a sample size of 10.9

Figure 4. Top view of sample locations in tested pouches. The pouch has the transparent plastic side facing up.

An unsupported-tail peel test was performed according to ASTM F88-99.12 As shown in Figure 4, 1-in.-wide specimens were cut from the region where the pouch failed during the burst test. The parameters under study were crosshead speed (10 and 12 in./min) and grip separation (1.0 and 2.0 in.). The sample size used for each crosshead-speed/grip-separation combination was 10 (n = 10). Therefore, a total of 40 pouches of each material combination were peel tested (2 crosshead speeds x 2 grip separations x 10 samples per crosshead-speed/grip-separation combination). Power calculations were used to determine the sensitivity of the experiments when using a sample size of 10.9 Peak and average forces were recorded.

Data analysis included both 22 factorial analyses and model validation.

22 Factorial Analyses. As shown in Table I, the factorial experiments had the purpose of determining the effect of flow index and plate separation in the burst test. They also demonstrated the effect of crosshead speed and grip separation in the peel test. All possible combinations of the factors under study were considered.13,14

Flow Index — 1, 9
Plate Separation — 0.5, 1.0 in.
1, 0.5 in. and 9, 0.5 in.
1, 1.0 in. and 9, 1.0 in.
Flow Index — 1, 5
Plate Separation — 0.5, 1.0 in.
1, 0.5 in. and 5, 0.5 in.
1, 1.0 in. and 5, 1.0 in.
Flow Index — 5, 9
Plate Separation — 0.5, 1.0 in.
5, 0.5 in. and 9, 0.5 in.
5, 1.0 in. and 9, 1.0 in.
Flow Index — 10, 12 in./min
Plate Separation — 1.0, 2.0 in.
10, 1.0 in. and 12, 1.0 in.
10, 2.0 in. and 12, 2.0 in.
22 factorial experiments for burst and peel tests.

Model Validation. Two approaches were used for model validation—theoretical and empirical. In the theoretical approach, a force diagram analysis produced two theoretical models:8,9

P = 2S/D and

P = 2S/D * [(LO + WO – 1.142D) / (LO +WO – 2.142D)]

The second model is Equation 5. The analysis of these theoretical models consisted of calculating the predicted burst pressure (P) with the two formulas above, and comparing the result with the actual burst values obtained experimentally. A calculation of the percent error also was performed in order to get a numerical comparison.

In the empirical approach, multiple-regression analysis was performed.9 The method was used to fit experimental data to different power law models. The regression parameters, coefficient of determination (R2) and the correlation coefficient (R) were obtained using statistical software. The adequacy of these models was determined by comparing actual values with the predicted ones and by calculating percent error.

Results 22 Factorial Analysis
The analyses of variance performed with the burst test results showed that plate separation had a significant effect on the burst pressure at all the package sizes for each of the material combinations tested. All p values for the analyses equaled 0.000. Additionally, the analyses demonstrated that flow index had a significant effect on the burst pressure when the extreme values, 1 and 9, were used. This was true for all package sizes and each of the material combinations tested. When comparing flow indexes, flow index 5 produced a higher burst pressure in larger packages than did flow index 1. When the comparison was made between flow indexes 5 and 9, the burst pressure tended to show no significant difference.9

The analyses of variance performed with the peel test results showed that the crosshead speed and grip separation did not have a significant effect on either the peak or average peel test results. All p values equaled > 0.050.

Model Validation
Predicting Burst Pressure. Two theoretical models and three empirical models were used to predict the burst pressure from the seal strength values (Table II).

Theoretical Model 1:
S = Seal Strength (lb/in.)
D = Plate Separation (in.)
Theoretical Model 2:
P=2S/D * [CF]
S = Seal Strength (lb/in.)
D = Plate Separation (in.)
LO = Original Length (in.)
WO = Original Width (in.)
CF = [(LO+WO-1.142D)/(LO+WO-2.142D)] (in./in.)
Empirical Model 1:
P = K[X1]P1[X2]P2[X3]P3

X1 = {S/D}*CF (lb/in.2)
X2 = D/LC where LC = LO - 1.571 D (in./in.)
X3 = D/WC where WC = WO - 1.571 D (in./in.)
S = Seal Strength (lb/in.)
D = Plate Separation (in.)
LO = Original Length (in.)
WO = Original Width (in.)
LC = Contact Length (in.)
WC = Contact Width (in.)
CF = [(LO+WO-1.142D)/(LO+WO-2.142D)] (in./in.)

Empirical Model 2:
P = K[X1]P1[X2]P2
X1 = {S/D}(lb/in.2)
X2 = CF (in./in.)
S = Seal Strength (lb/in.)
D = Plate Separation (in.)
LO = Original Length (in.)
WO = Original Width (in.)
CF = [(LO+WO-1.142D)/(LO+WO-2.142D)] (in./in.)
Empirical Model 3:
P = K[X1]P1[X2]P2
X1 = {S/D}(lb/in.2)
X2 = LO/WO (in./in.)
S = Seal Strength (lb/in.)
LO = Original Length (in.)
WO = Original Width (in.)
Table II. Theoretical and empirical burst pressure predicting models.

The empirical models in Table II are based on the theoretical formulas. The independent variables (X1, X2, and X3) are equal to terms that were derived theoretically with the use of force diagram analysis ((S/D) and CF).9

Regression analysis was performed for the three empirical models. The following four statements summarize the findings:

  • Lower percent errors were obtained when using average peel force rather than peak peel force in theoretical models for 1073B Tyvek/plastic pouches. Results are shown in Table III.
  • Slightly better results, in terms of correlation coefficient and average percent errors, were obtained when using average force values rather than peak force in the empirical models. This was true for all material combinations under study. Results are shown in Table III.
  • As demonstrated in Table III, the empirical models had a lower average percent error than the theoretical ones.
  • All empirical models provided good results. In general, the first empirical model provided better results than the other two. The first model, which is the closest to physical theory, resulted in slightly higher correlation coefficients. It also tended to have smaller average percent errors, which made it the most accurate. The third model is simpler than models 1 and 2, and it resulted in similar regression parameters for all three material combinations under study.9 This makes it a very attractive model. In addition, the regression parameters are reasonable in magnitude, and the model provided good accuracy, close to that of the first model. Details are included in Table IV.
Peak Force
Average Force
Peak Force
Average Force
Peak Force
Average Force
K = 2.44
p1 = 1.01
p2 = 0.23
p3 = -0.03
K = 3.87
p1 = 1.00
p2 = 0.29
p3 = -0.09
K = 1.36
p1 = 0.91
p2 = 3.41
K = 2.10
p1 = 0.88
p2 = 2.67
K = 1.53
p1 = 0.74
p2 = 0.37
K = 2.17
p1 = 0.74
p2 = 0.30
NOTE: T1 and T2 = theoretical models 1 and 2. E1, E2, and E3 = empirical models 1,2, and 3.
Table III. Burst pressure prediction model validation results for supplier A (1073B Tyvek/polyester poly laminate) pouches.

A summary of the results for all models that predict burst pressure using peak and average seal strength values for supplier A's 1073B Tyvek/polyester poly laminate pouches is shown in Table III. Similar results were obtained for the other two material combinations under study.9

Results for the three empirical models using average values are shown in Table IV, which includes all material combinations tested.9

K = 3.9
p1 = 1.0
p2 = 0.3
p3 = -0.1
K = 20.4
p1 = 1.8
p2 = 1.1
p3 = -0.1
K = 20.9
p1 = 1.1
p2 = 2.4
p3 = -1.9
K = 2.1
p1 = 0.9
p2 = 2.7
K = 1.5
p1 = 1.0
p2 = 6.0
K = 2.7
p1 = 0.8
p2 = 1.1
K = 2.2
p1 = 0.7
p2 = 0.3
K = 2.0
p1 = 0.7
p2 = 0.2
K = 2.0
p1 = 0.8
p2 = 0.8
NOTE: Reg. Coeff. = Regression Coefficient, and R = Correlation Coefficient.
Table IV. Burst pressure empirical prediction model using average seal strength.

Predicting Seal Strength. The models discussed predict burst pressure (P) when the seal strength (S), the plate separation (D), and the package dimensions (LO and WO) are known. There might be situations in which seal strength (S) must be predicted from burst pressure (P), plate separation (D), and package dimensions (LO and WO). Analysis indicated that this can be done. The two theoretical models were solved for seal strength (S). Two approaches were used for the empirical models: solving for (S) from the burst pressure (P) models, and running a multiple-regression analysis to predict S/D.9 Both methods work.

Data analysis was the same as that used for burst pressure prediction models, and the results were similar. Lower average percent errors were obtained when average forces were used, and the empirical models tended to have a lower average percent error than the theoretical models.


The experiments described revealed that empirical models explained the relationship between peel and burst test results better than theoretical models. The reasons for the disagreement between the actual values and those predicted by the theoretical models are believed to be the following:

  • The peel test is a uniaxial test in which deformation is evenly applied to a 1-in.-wide strip of seal. The burst test is a multiaxial test in which force is applied by internal air pressure. When the package is pressurized, the seal perimeter does not take the same load at all points because it deforms differently in different areas. Areas that have wrinkles are loose and slack, so they do not take any force; only the stressed part of the perimeter takes the force.7
  • The theoretical models assume that the material does not stretch much around its perimeter and that the seal area takes on a circular shape. The amount of stretch that the package experiences when pressurized and the actual shape its seal area assumes are both variable and unpredictable. For that reason, those variables are not accounted for in the theoretical model.
  • Sharp edges, corners, and angles on the package seal can act as stress concentrators during the burst test and affect the results.7
  • Because both tests are destructive, the correlation is made between the average burst pressure of a group of pouches and the average peel strength of a different group of pouches. For that reason, any variation in the seal strength around the seal perimeter of a pouch, or significant seal-strength variations between pouches, makes the correlation weaker. In addition, the strips cut for the peel test may not represent the point at which the pouch would break in a burst test. Such strips do not necessarily represent either a stress-concentrating deformation or the weakest point in the seal.

The validation results for the empirical models were good. The correlation coefficients were all 0.96 or higher and the average percent errors between actual and predicted values ranged from 1 to 7% for predictions of burst test value from seal strength and vice versa. It should be noted that these results are applicable for the material combinations tested within the range of package sizes tested. Nevertheless, because the independent variables for the empirical models are based on theoretical principles, and the models were run for three different Tyvek/plastic types of pouches, the model should work for other types of Tyvek/plastic combinations. A change in the regression parameters when the materials under study are changed should be expected.

The results obtained when using average values tended to be slightly better than the ones obtained when using peak values. This was anticipated because the average peel force results were less variable than the peak peel force results.

Figure 5. Procedure for a mathematical correlation between peel and burst tests for sterile medical device packages.
(click to enlarge)

This study resulted in a procedure that can help industry perform a simple experiment for the purpose of estimating the regression coefficients for any particular material combination.9 The recommended procedure is outlined in Figure 5.

When using this procedure to obtain a mathematical model for the correlation between peel and burst tests, the following facts should be kept in mind:

  • The validity of the model is limited to the range of values covered in the experiment.
  • Once a model is developed for a particular group of pouches made out of the same materials, it should be revised every time there is a change in the sealing process or in the materials and sealants used.
  • Since the length, L, and width, W, dimensions of the package are part of the model, it is important to define the way L is used in data analysis. L refers to the distance from the tip of the chevron to the open side of the pouch.
  • The user can choose whether the regression technique will be employed to predict burst pressure or to predict seal strength. It can be done either way.



1. DS Barcan and SH Franks, "Comparing Tensile and Inflation Seal-Strength Tests for Medical Pouches," Medical Device & Diagnostic Industry 21, no. 10 (1999): 60–67.

2. TP Wachala, "Correlating Tensile and Burst Test in Pouches," Medical Device & Diagnostic Industry 13, no. 2 (1991): 12–15.

3. DS Barcan, "Using a Seal Matrix to Optimize Package Sealing Variables," Medical Device & Diagnostic Industry 16, no. 9 (1995): 112–122.

4. ET Hackett, "Automated Peel Test for Process Control Eliminates Variables," Packaging Technology and Engineering 7, no. 2 (1998): 44–49.

5. D Bohn, "Using Burst Testing to Evaluate Sterile Blister Packaging," Medical Plastics and Biomaterials 1, no. 1 (1994): 14–20.

6. KL Yam, J Rossen, and X Wu, "Relationship between Seal Strength and Burst Pressure for Pouches," Packaging Technology and Science 6 (1993): 239–244.

7. R Feliú-Baéz, HE Lockhart, and G Burgess, "Correlation of Peel and Burst Test for Pouches," Packaging Technology and Science 14 (2001): 63–69.

8. R Feliú-Baéz, "Analysis and Evaluation of Burst Test Methods Using Restraining Fixtures." Master's thesis, Michigan State University, 1998, 11–20, 37–41, 109–121, and 138–164.

9. R Feliú-Baéz, "Analysis of the Relationship Between Peel and Burst Test for Peelable Flexible Packages." PhD diss., Michigan State University, 2001.

10. ASTM Committee F-2 on Flexible Barrier Materials, ASTM F1140-96: Standard Test Methods for Failure Resistance of Unrestrained and Nonrigid Packages for Medical Applications, (West Conshohocken, PA: American Society for Testing and Materials, 2000), 1176–1179.

11. ASTM Committee F-2 on Flexible Barrier Materials, Draft Proposal ASTM Standard: Standard Test Method for Burst Test Seal Strength Testing of Flexible Packages using Internal Air Pressurization within Restraining Plates, (West Conshohocken, PA: American Society for Testing and Materials, 1997).

12. ASTM Committee F-2 on Flexible Barrier Materials, ASTM F88-99: Standard Test Method for Seal Strength of Flexible Barrier Materials, (West Conshohocken, PA: American Society for Testing and Materials 2000), 989–993.

13. DC Montgomery, Introduction to Statistical Quality Control, 3rd ed. (Hoboken, NJ: Wiley, 1997), 490–491.

14. DC Montgomery, Design and Analysis of Experiments, 3rd ed. (Hoboken, NJ): Wiley, 1991), 216–217 and 607.

Rosamari Feliú-Báez, PhD, is the packaging engineering manager at Glaxo Smith Kline (Cidro, Puerto Rico). Hugh E. Lockhart, PhD, and Gary Burgess, PhD, are professors at the Michigan State University School of Packaging (East Lansing, MI).

Copyright ©2003 Medical Device & Diagnostic Industry

Medical Device Reporting: A Risk-Management Approach

Originally Published MDDI January 2003


Common sense and care should guide the MDR filing process.

Jeffrey K. Shapiro
Hogan & Hartson LLP

Filing medical device reports (MDRs) is undesirable and presents a certain amount of risk to the manufacturer. Fortunately, this risk can be ameliorated by approaching event reporting mindfully and carefully. Most importantly, device makers must not underestimate the risk involved in choosing not to file.

The medical device reporting regulation requires manufacturers to report significant adverse events in which their medical devices are involved to FDA.1 All domestic and foreign manufacturers of finished medical devices and ready-for-use device components commercially distributed in the United States must comply with these requirements.

Many companies are reluctant to file MDRs with FDA. While these companies comply with the regulation, they do so with a bias against filing a report unless it is clear that one is absolutely required.

This reluctance is understandable. MDRs are public documents that do not exactly add luster to the company name. Competitors may use them to talk down the company with customers. Plaintiffs' lawyers may wave them in front of juries to bolster the case for exorbitant punitive damages. Worse, companies never know when an MDR document will trigger an extensive FDA investigation. After all, the purpose of event reporting is to alert FDA to potential product problems. In short, there are significant risks in filing MDRs.

On the other hand, it is important not to underestimate the risk of failing to file. The criminal and civil penalties for MDR violations can be severe. They comprise the full range of FDA's enforcement powers, including seizure, injunction, and criminal fines and imprisonment. Civil penalties may be imposed if a violation of MDR requirements is a significant or knowing departure, or a risk to public health.2

More than a few companies have learned the hard way that the short-term benefits of not reporting can soon be eclipsed by an intrusive federal investigation—not to mention very bad publicity when a settlement is announced or the case goes to trial. Several firms are currently under criminal investigation for failing to properly report.

Basic Filing Requirements

Deciding whether adverse events require an MDR filing involves some fairly subjective judgments. Under the MDR regulation, manufacturers must file an MDR within 30 calendar days of becoming aware of information that reasonably suggests a reportable death, serious injury, or device malfunction has occurred. Manufacturers must file an MDR within five working days if the reportable event requires remedial action to prevent an unreasonable risk of harm to the public health and for certain other types of events designated by FDA.3

An event is reportable if one of the manufacturer's marketed devices has caused or may have caused or contributed to a death or serious injury, or if it has malfunctioned and the device or a similar one would likely cause or contribute to a death or serious injury should the malfunction recur.4 The regulation states that a device has or may have "caused or contributed to" the event if the device was a factor, or may have been a factor because of its failure; malfunction; improper or inadequate design, manufacture, or labeling; or user error.5 Serious injury is defined as an injury that is life-threatening, results in permanent impairment of a body function or permanent damage to a body structure, or necessitates medical or surgical intervention to preclude permanent impairment or damage.6

Interpretation Is Everything

The number of medical device reports submitted to FDA annually increased significantly in 2000 and 2001.

Of course, this brief summary of the MDR regulation barely scratches the surface of its complexities. (For a wealth of FDA guidance and information, visit and click on "medical device reporting" under "Industry Assistance.") It does, however, begin to suggest the subjective nature of reportability determinations. What facts are needed to conclude that information "reasonably suggests" that a device "may have caused or contributed to" a serious injury or death? What is an "unreasonable risk of harm"? How can one predict whether it is "likely" that death or serious injury will occur "if the malfunction were to recur in the same or similar device"? What constitutes a "similar device"? What actions rise to the level of an "intervention" to "preclude permanent impairment or damage"?

In some cases, the application of these questions to the facts at hand will yield straightforward answers. In other cases, however, there will be ample room for disagreement. The question about whether a malfunction would likely cause death or serious injury were it to recur is especially tricky—it requires not only subjective judgment but a prediction about the future, which is always a hazardous undertaking.

The subjective nature of event reporting can lead a company into trouble. Consider this hypothetical scenario: Over an 18-month period, a company receives two dozen similar complaints of malfunction for a particular device. The company conscientiously examines the evidence each time a complaint is received but concludes that the malfunction is not likely to cause serious injury or death should it recur. On this basis, then, the company does not report any of these complaints. Now suppose that the malfunction later recurs and may have contributed to an actual patient death. At that point, the company must submit a report. It also may decide that a recall or other field action is needed. All of this activity will have the effect of alerting FDA (and the public) to the problem. In this context, it will look bad if the company has two dozen unreported complaints for the same malfunction in its files. FDA could allege that the company willfully chose not to report. In this hypothetical situation, the company may have acted in perfectly good faith but finds itself under investigation (and at risk of sanctions) for making the wrong call.

One way the company might have protected itself would have been to consult a medical expert qualified to evaluate the complaints and make a judgment about their reportability. If the expert had reasonably concluded that the device malfunction in question would be unlikely to cause or contribute to a death or serious injury should it recur, the complaints would not be reportable under the MDR regulation.7 Of course, it would be very helpful to have this expert's memorandum in the company files prior to the subsequent patient death. (This same approach can be employed when evaluating the reportability of an adverse event involving actual serious injury or death.)

If it is not feasible to obtain such an expert opinion, the only other way to eliminate the regulatory risk inherent in event-reporting decisions is to adopt a systematic bias toward reporting if there is any ambiguity whatsoever. Although the sanctions for failing to report can be severe, there are no sanctions for reporting unnecessarily.

This fact leads to an interesting question: Given the cloudiness of MDR requirements, the severe potential penalties for failing to report, and the absence of sanctions for submitting too many reports, wouldn't the best policy be to set a very low internal threshold for reporting, perhaps even lower than required by the MDR regulation, to provide a margin of safety? Yet, the opposite is often true. Many in industry have a bias against reporting unless it is very clear that they must.

Managing the Risks

This incongruity brings us back to the negatives associated with event reporting mentioned earlier. Companies are concerned about their reputation with customers, and what competitors might do with public MDRs. They are also anxious about the product liability implications of reports and the potential for an unwanted FDA investigation.

These concerns are valid but can be ameliorated. The principal product liability concern is that the MDR will be treated as an admission of device fault. The regulation, however, expressly states that a report is not necessarily an admission that a device caused or contributed to an injury. FDA itself adds this disclaimer to the front page of the reporting form, Form 3500A. Also, the MDR regulation permits the submitting party to include its own disclaimer and even deny in the report that there is any such admission.8

Thus, companies can protect themselves by carefully drafting the narrative to accurately state the known facts while avoiding any statement that could be construed as an admission if taken out of context. Companies also can add an explicit disclaimer of causation at the end of the narrative.

When competitors use MDRs to disparage products, companies need to address such publicity as they would any other unfair sales tactic. One way is to explain to customers that MDR requirements are very broad and a report does not necessarily mean there is a problem. Another approach is to research the competitor's own MDR filings to see if it has clean hands. If the competitor does not have the number or type of MDR filings that would be expected, perhaps it is not fully complying with the regulation. Ultimately, a good sales force should be able to negate or minimize any detriment from event reporting. Finally, there is the risk that an event report will trigger an FDA investigation. Fortunately, the chances of that occurring are not great. Given the sheer volume of reports and the limitations of FDA's resources, the agency is most likely to involve itself with only the most unusual or widespread incidents involving deaths or serious injuries.

Investigation-triggering reports are likely to involve the types of cases for which a recall will be in progress or under consideration, so FDA would likely find out about the incidents anyway. Also, user facilities and importers have reporting obligations that could lead them to alert FDA to a death or serious injury even if the manufacturer did not. In rare cases where FDA follows up with an investigation, the manufacturer will be in a better position if it has filed appropriate MDRs.


The bottom line is that filing MDRs is unpleasant, but the negative effects can usually be ameliorated. On the other hand, a major reporting violation can lead to severe negative fallout. To minimize the likelihood of an MDR violation fiasco, companies should take the following measures:

  • Consider the option of consulting an appropriate medical expert for a determination that an event is not reportable. A written opinion will provide protection against an FDA attempt to judge the decision with hindsight.
  • Be especially careful about reportability decisions for complaints of malfunctions. The standard is whether the malfunction would likely cause or contribute to a death or serious injury were it to recur. This determination is likely to be both subjective and speculative.
  • Be even more careful when receiving multiple complaints for the same type of event. An erroneous decision not to report could lead to dozens or hundreds of separate violations. It could also provide a basis for a finding of significant or knowing departure from MDR requirements, or a risk to public health—each of which provide the basis for imposing civil penalties.

If companies are careful and exercise common sense when determining whether to file MDRs, they are likely to survive unscathed.


1. Code of Federal Regulations, 21 CFR 803.

2. United States Code, 21 USC 331–334.

3. Code of Federal Regulations, 21 CFR 803.50, 803.53.

4. Code of Federal Regulations, 21 CFR 803.1(a).

5. Code of Federal Regulations, 21 CFR 803.3(d).

6. Code of Federal Regulations, 21 CFR 803.3(aa)(1).

7. Code of Federal Regulations, 21 CFR 803.20(c)(2).

8. Code of Federal Regulations, 21 CFR 803.16.

Copyright ©2003 Medical Device & Diagnostic Industry

Building on a Patent

MDUFMA Spells Change for Manufacturers

Originally Published MDDI January 2003


The newest medical device legislation will provide FDA with increased revenue and resources, but how will the changes affect industry?

Edward C. Wilson Jr.

The Medical Device User Fee and Modernization Act of 2002 (MDUFMA), which President Bush signed into law on October 26, 2002, will have a significant impact on the regulation of devices in the United States. The provisions are meant to address agency shortcomings, but medical device manufacturers will also be affected by the changes. Four of the major provisions involve issues of immediate concern for the industry: user fees, third-party inspections, combination products, and modular reviews.

User Fees

The most significant change made by the new law is the introduction of user fees for product filings. For the types of filings indicated in Table I, the user fees were scheduled to go into effect on or after October 1, 2002. Exactly when companies must first pay the fees, however, is up in the air as of this writing.

The law states that fees for applications submitted between October 1 and October 26, 2002, are due on October 26, 2002. For FDA to collect the fees, however, Congress must enact an enabling appropriation. Because Congress did not do so before adjourning for the year, FDA must wait until Congress reconvenes on January 11. Whenever the appropriation is passed, FDA will issue invoices for all applications submitted between October 1, 2002, and a date to be published in a Federal Register notice. The invoices will be due and payable within 30 days. After the specified date, fees must be submitted to FDA with the marketing applications.

Premarket application
Premarket report
Panel-track supplement
Efficacy supplement
180-day supplement
Real-time supplement
No applicable during FY2003; a small business fee for 510(k)s becomes effective FY 2004.
Table I. Structure and initial rate of FDA's user fees for medical devices filiings. Source:

Once this interim period has expired, FDA will consider applications that are not accompanied by the required fee to be incomplete. The agency will not accept the filing until the fee has been paid. If FDA refuses the filing for other reasons, or if the sponsor withdraws it before FDA makes a filing decision, the agency must refund 75% of the fee. In cases where a premarket application, premarket report, or supplement is withdrawn after filing but before a "first action," the law gives discretion to FDA to refund "some or all" of the fee. (Examples of first actions would be findings of major deficiency, not approvable, approvable, approval pending GMP inspection, or denial determinations.) The amount of the refund in such cases would be determined by the level of effort already expended on the review. The user fee provisions will expire on October 1, 2007, if they are not reauthorized by Congress before that day.

Humanitarian device exemption Exempt from any fee (§738(a)(1)(B)(i))
BLA for a product licensed for further manufacturing use only Exempt from any fee (§738(a)(1)(B)(ii))
First PMA, PDP, BLA, or premarket report from a small business One-time waiver of the fee that would otherwise apply (§738(d)(1))
First premarket report (PMR) submitted by a person who submitted a premarket application for the same reprocessed device prior to October 1, 2002 One-time waiver of the fee that would otherwise apply. See section 102(b) of MDUFMA (this waiver is not codified as part of the FD&C Act.) This provision is intended to avoid penalizing companies that previously submitted a PMA for a reprocessed device, but who must submit a new application to satisfy the requirements added by the new law.
Third-party 510(k) Exempt from any FDA fee; however, the third-party may charge a fee for its review (§738(a)(1)(B)(iv))
Any application for a device intended solely for pediatric use Exempt from any fee. If an applicant obtains an exemptioin under this provision and later submits a supplement for adult use, that supplement is subject to the fee then in effect for an original premarket application (§738(a)(1)(B)(v))
Any application from a state or federal government entity Exepmt from any fee unless the device is to be distributed commercially (§738(a)(1)(B)(iii))
Table II: Fee exemptions and waivers from user fees.

As indicated in Table II, sponsors of certain types of submissions are not required to pay user fees. In addition, smaller companies will be granted fee waivers or reductions under certain conditions. The law defines small-business applicants as entities with $30,000,000 or less of annual revenue in their most recent federal income tax return, including returns of all affiliates, partners, and parent firms. If it is the firm's first premarket application or report, it will be granted a one-time waiver of the user fee.

In addition, for subsequent premarket applications, premarket reports, and supplements submitted by a small business, the user fees may be paid at a reduced rate of 38% of the established fees (see Table I). To qualify for a waiver or lower fee rate, small-business applicants must submit supporting information to FDA 60 days before submitting their application. The ultimate decision of whether a company qualifies for small-business status is FDA's; its decision is not reviewable.

Small businesses submitting 510(k) notices may request a fee reduction of 20% of the established rate for the fiscal year beginning October 1, 2003. The request must be made at least 60 days before submitting the 510(k) notice. Again, FDA's decision on the request is not reviewable.

User fee rates will be based on meeting specific revenue projections. Adjustments for inflation and workload begin in fiscal year 2004. FDA must publish applicable fees in the Federal Register 60 days before the beginning of each fiscal year, beginning October 1, 2003.

The law also requires FDA to submit annual performance goals (relating to review times) to Congress. In a fiscal year when appropriations do not meet specified levels, FDA will not necessarily have to meet all of its goals. Instead, it will be "expected to meet such goals to the extent practicable, taking into account the amounts that are available . . . for such purpose." For fiscal years 2006 and 2007, if appropriations do not meet certain levels, FDA may not assess medical device user fees and will not be expected to meet its performance goals.

The new legislation includes additional funding for postmarket surveillance activities. This reflects Congress's concern about the effectiveness of the postmarket surveillance program in light of the more rapid clearances and approvals that are anticipated, thanks to the increased funding from user fees.

Commentary. For the first time, many device companies will be required to pay user fees for FDA review of product submissions. These fees are meant to address the dwindling resources at the device center and to alleviate fears that U.S. patients may not be benefiting from medical technology as quickly as those in other countries. Staff levels at CDRH have dropped by 8% since 1995; average total review time for a PMA is about 411 days.

In drafting the law, Congress recognized that user fees might place a significant financial burden on some companies. Accordingly, it built in reductions, exemptions, and waivers. Under the law, to receive a waiver or fee reduction a small company must submit a request to FDA 60 days before submitting its marketing submission. FDA will also be issuing a detailed Federal Register notice providing instructions for waiver applications and payment. During the transition period, the agency is instructing small- business applicants to wait until they receive an invoice or the notice is published before submitting income tax forms or requests to be classified as a small business.

User fees should yield about $225 million in increased resources over the next five years. With such an increase, FDA reviews should proceed more quickly, permitting devices to be marketed sooner.

Companies should not become unduly aggressive in their decisions not to file supplements or new 510(k) notices to avoid user fees. They should plan carefully to consolidate multiple changes into single filings, where practicable, to help reduce the amount of fees incurred.

Third-Party Inspections

Section 201 of the law permits accredited third parties to perform inspections of eligible device establishments in place of FDA—under certain circumstances. The manufacturer bears the cost of a third-party inspection.

By no means are all manufacturers eligible to use third-party inspectors. The eligibility requirements are extensive and complex:

  • The most recent inspection of the manufacturer's facility must have been classified as "no action indicated" or "voluntary action indicated."
  • The establishment must notify FDA of the accredited entity it intends to use to inspect its facility and receive clearance from FDA.
  • The establishment must market a device in the United States and must market or intend to market a device "in one or more foreign countries," one of which countries certifies, accredits, or otherwise recognizes the entity accredited by FDA to conduct third-party inspections.
  • The manufacturer must submit to FDA a statement that the law of the country in which the device is marketed recognizes FDA's inspections. Then the manufacturer must await confirmation from FDA that it may request clearance for the accredited individual to inspect the establishment.
  • For domestic establishments, the facility may not have been inspected by a third party for the two immediately preceding inspections. FDA may choose to waive this requirement, however.
  • For foreign establishments, FDA must periodically conduct inspections of the establishment.

FDA also has the right to inspect at any time any facility that is subject to the agency's inspection authority.

The agency has 30 days to respond to a manufacturer's request to use a third-party inspector. FDA may take one of two actions in its response. First, it may simply approve the request. Second, it may ask for more information. The law specifies that this may be information concerning the relationship between the establishment and the accredited person, or GMP compliance data for the establishment.

The compliance data may include complete reports of GMP inspections or other quality control audits that, during the preceding two years, were conducted by outside parties, together with all other compliance data that FDA deems necessary. If FDA requests such compliance data, the agency has 60 days to review the data before approving or rejecting the proposed inspector. If FDA fails to respond to the manufacturer within the deadlines described above, the request is considered cleared. If FDA rejects the company's proposed inspector, the establishment may propose a different inspector. If FDA refuses to allow a third party to conduct an inspection of an establishment, the decision may be reviewed by an entity designated by FDA.

If a manufacturer uses a third-party inspector and FDA classifies the results as "official action indicated," the manufacturer will lose its eligibility to use a third-party inspector until FDA issues a written statement that all violations have been resolved and notifies the establishment that it may again use third-party inspectors. If FDA does not conduct an inspection within 48 months of the firm's initial request to use a third party, however, the establishment again becomes eligible for third-party inspection.

To assure the overall quality of this program, the law requires FDA to periodically audit the performance of accredited parties. The authority for inspections by accredited parties expires on October 1, 2012. In addition, beginning with FY 2005, if appropriations to FDA for a given fiscal year fall below certain levels, no third-party inspections may be conducted during that fiscal year.

Commentary. On November 16, 2001, the External Review Subcommittee of CDRH issued a report entitled "Science at Work in CDRH: A Report on the Role of Science in the Regulatory Process." In it, the committee made several recommendations for creating partnerships with external parties. One reason for this was to address the fact that many agency employees are due to retire in the next several years. The third-party inspection provision of the new legislation is one example of this approach. It is intended to help remedy FDA's failure—due to a lack of resources—to conduct biennial inspections of Class II and Class III device manufacturers.

The involvement of third parties in facility inspections is not entirely new. FDA has, in certain circumstances, allowed third parties to certify to the agency that a manufacturer has implemented corrective actions to address prior inspectional observations. This has been particularly true in situations in which the establishment has repeatedly failed to take adequate corrective actions to alleged violations or is perceived as having serious, systemic quality system problems.

This new section of the law significantly expands this informal policy. It requires FDA to implement a formal accreditation program and to allow eligible manufacturers to choose to be inspected by a third party. It is likely that FDA will approve the use of third-party auditors primarily for those firms with good compliance histories. This will allow the agency to concentrate on manufacturers with more serious quality system problems.

FDA generally has not allowed third parties to conduct pre-PMA inspections. It does not appear from the statutory language that companies will be allowed to use third parties to conduct pre-PMA inspections under MDUFMA either.

Before choosing a third-party audit over an FDA inspection, manufacturers should consider the potential downsides of third-party audits. Perhaps the most serious concern is that the third party may find more inspectional observations and make more recommendations for corrective action than an FDA inspector. This outcome could result from the auditor's training and experience or a concern that failing to conduct a thorough inspection could result in the loss of accreditation or more-serious penalties.

There are other issues that should be considered as well. The third party's report must contain all of the auditor's observations and recommendations. But it is unclear whether the report may include the corrective actions that the manufacturer has taken or has committed to take to address the audit observations and recommendations. It is also unclear whether the manufacturer will be permitted to respond to the report before FDA issues a Form 483 to the company and classifies the inspection as "official action indicated" or otherwise. Industry should work with FDA to ensure that firms are afforded an adequate opportunity to respond to third-party audit observations before FDA issues a Form 483 or initiates any type of enforcement action.

Another argument against a third-party audit may be that the agency may request internal compliance data concerning the GMP status of the establishment. Some companies may not wish to provide this information, which FDA, by policy, does not routinely request during typical GMP inspections.

For a firm marketing its product in Europe, it also is unclear whether FDA will permit the notified body that the firm uses there to conduct the third-party inspection. This approach would reduce the number of third-party inspections at a firm. FDA, however, may perceive it as a conflict of interest, particularly if that notified body performs a consulting function for the manufacturer.

There also are logistical issues that FDA will need to address. For example, how much advance notice will the agency provide to manufacturers of a planned FDA inspection? If it is not sufficient notice, firms will not have adequate time to make the request for a third-party inspection.

Designation and Regulation of Combination Products

Section 503(g) of the FD&C Act required FDA to designate a "component" of FDA to regulate combination products. The new law changes this language by requiring FDA to assign an agency center to regulate such products. If the agency determines that the primary mode of action of the product is that of a drug (other than a biological product), the Center for Drug Evaluation and Research will have primary jurisdiction; if a device, CDRH will have primary jurisdiction; and if a biological product, the Center for Biologics Evaluation and Research will have primary jurisdiction.

The new law requires FDA to establish an office of combination products, within the Office of the Commissioner, no later than December 26, 2002. The new office, which must be managed by a director, is required to have appropriate scientific and medical expertise. It will be responsible for

  • Promptly assigning each combination product to the agency center with primary jurisdiction (based on the product's primary mode of action).
  • Overseeing the regulation of combination products to ensure timely and effective premarket reviews, and coordinating reviews by more than one center.
  • Ensuring the consistency and appropriateness of postmarket regulation of like products.
  • Resolving any disputes regarding the timeliness of reviews of combination products (unless they are clearly premature), and making recommendations to the commissioner with regard to the resolution of substantive disputes that arise during the review process. Such disputes must first be considered by the center with primary jurisdiction, using its scientific dispute- resolution procedures.
  • Reviewing each agency agreement, guidance, or practice regarding the assignment of combination products to agency centers to determine whether each is consistent with the new law. These may be modified, revised, or eliminated as necessary (but FDA may follow these agreements, guidance documents, and practices in the meantime).
  • Reporting to Congress on its activities regarding combination products by October 26, 2003, and annually thereafter.

Commentary. These provisions may improve FDA's handling of combination products. However, they fail to clarify some fundamental problems inherent in the FD&C Act. For example, neither the FD&C Act nor these amendments resolve the overlap in the definitions of the terms drug, device, and biological product. Confusion arises because the categories all include articles that are intended to prevent, treat, or cure disease.

Both the drug and device categories include articles intended to affect the structure or function of the body. Products that achieve their primary purpose through chemical action within the body or are dependent upon being metabolized are excluded from the definition of a device. But the terms chemical action and metabolism are ill-defined and uncertain, making the categorization of each product difficult.

Also, there is no requirement that a "drug" must depend on chemical action or on being metabolized. Thus, a product that meets the definition of a device also may meet the definition of a drug. FDA claims that this overlap gives it very broad discretion over whether to regulate an article as a drug or a device.

Finally, to make matters even more complicated, products that meet the definition of a biologic also meet the definition of a drug, and some biologics (such as tissues intended to perform a mechanical function in the body) also may meet the definition of a device.

In addition, the new law does nothing to clarify the often confusing issue of determining the "primary mode of action" of a combination product. Frequently, a combination product has two modes of action, neither of which can be said to be dominant or "primary." For example, a wound dressing impregnated with antibiotic is both a device and a drug. Because this product serves two essential purposes, i.e., to provide a physical barrier (device) and to kill microorganisms (drug), it is difficult to assign jurisdiction based on the "primary" mode of action.

Also, because of the overlap in the definitions (discussed above), it is often difficult to say with certainty that a product has, for example, a drug mode of action versus a biological mode of action. Nonetheless, under the statute, FDA is required to designate one mode of action as primary. The lack of definitional clarity, and the lack of publicly available information regarding pending marketing applications, give FDA extremely broad discretion in this regard.

Modular Review

The new law amends Section 515(c) (premarket approval provisions) of the FD&C Act to codify the existing CDRH policy on the submission of modular PMAs. This provision requires the agency to accept and review portions of a PMA that are ready for FDA review. (However, FDA may suspend the program when its authority to collect user fees has been suspended.) Each portion of a modular PMA that FDA finds acceptable may not be further reviewed, unless there is a compelling issue of safety and effectiveness. Furthermore, FDA is required to identify in writing any deficiencies in PMA modules that are deemed to be unacceptable, and describe in detail how those sections may be made acceptable. Under the new law, the entire fee is due when the first module is submitted to FDA; in addition, FDA has stated that applicants in the process of a modular PMA review before October 1, 2002, will have to pay the full PMA user fee if the final module was submitted after that date.

Commentary. A number of divisions within CDRH have by policy allowed companies to submit modular PMAs, even though there has been no statutory or regulatory requirement to do so. This section of the law now makes doing so a requirement. Modular PMAs allow companies to submit portions of their PMAs to FDA when they are ready for review, as opposed to submitting the entire PMA at one time. This allows FDA to review portions of the submission (e.g., device description, preclinical section) before other sections of the PMA (e.g., clinical section) are completed. Frequently, the applicant and FDA are able to resolve issues and questions regarding certain sections of the PMA while the remaining sections are being prepared. The expansion of this approach should enhance FDA's efficiency and help reduce premarket review times.

Reprocessed Single-Use Devices

The new law requires the labeling of a reprocessed single-use device to bear the statement: "Reprocessed device for single use. Reprocessed by XX." The name of the supplier of the reprocessed device must be placed in the space identifying the entity responsible for reprocessing. It is unclear whether the original equipment manufacturer also must be identified in the labeling. The regulations implementing this requirement will presumably address this issue. This amendment applies to reprocessed devices introduced into interstate commerce after January 26, 2004.

FDA must identify devices for which 510(k) clearance is required to determine that they remain substantially equivalent to a predicate device after reprocessing. The 510(k) notice must include validation data demonstrating that the single-use device will remain substantially equivalent to its predicate device after the device has been reprocessed a maximum number of times. FDA has until April 26, 2003, to publish in the Federal Register a list of the types of reprocessed devices that require 510(k) clearance, and must revise the list as appropriate.

If 510(k) notices for reprocessed devices have been submitted to FDA before the agency publishes its initial list of reprocessed devices that require 510(k) clearance, the holders of such notices must submit validation data as described above no later than nine months after the publication of the list. The agency is limited in its ability to take enforcement action against such devices during that nine-month period and while such validation data are under review.

FDA must identify which Class I and 510(k)-exempt Class II devices require 510(k) notices if the devices are intended to be reprocessed. The agency must publish by April 26, 2003, the list of "critical" reprocessed devices for which 510(k)s with validation data will be required. (Critical devices are defined as devices intended to contact normally sterile tissue or body spaces during use.)

By April 26, 2004, the agency must also publish the list of "semicritical" reprocessed devices requiring 510(k)s. (Semicritical devices are defined as those that are intended to contact intact mucous membranes and not penetrate normally sterile areas of the body.)

The 510(k) notices for these devices must include the validation data described above. They must be submitted to FDA no later than 15 months after the publication of the initial list, or revision of the list, depending on which action terminates the 510(k) exemption for the reprocessed device. FDA is limited in its ability to take enforcement action against such devices during that 15-month period and while such validation data are under review. The termination of the 510(k) exemption for a reprocessed device does not terminate the exemption for the original device.

Any person may file a report seeking approval for a Class III device that is a reprocessed single-use device. A report also will be required if a Class I or Class II reprocessed device is found not to be substantially equivalent to a predicate device. The report must contain much of the same information as a PMA. The reports are not required to contain clinical data; however, they must include validation data that demonstrate that the device will remain reasonably safe and effective after the product has been reprocessed the maximum number of times.

To facilitate reporting of adverse events involving reprocessed devices, FDA is required, by no later than April 26, 2003, to modify its MedWatch forms. The revised forms will provide for reporting by user facilities and distributors, as appropriate, of adverse events involving reprocessed single-use devices.

Commentary. The new provisions regarding reprocessed devices are the result of significant pressure from original equipment manufacturers and other groups. They have argued that reprocessors should be required to demonstrate that the reprocessing of single-use devices does not render the products unsafe, ineffective, or no longer substantially equivalent to a predicate device. The law formalizes certain initiatives that FDA has already taken to regulate the reprocessing of single-use devices. It also requires that the name of the reprocessor be on the label of the device, so that any malfunctions or injuries can be reported under the reprocessor's name. The reference to distributor reporting is somewhat confusing, because distributors are not currently required to submit MedWatch forms to FDA. It is unclear whether FDA will now require distributors to report adverse events only for reprocessed devices, or whether the statute is referring to voluntary reports from distributors.

Miscellaneous Provisions

The new law also includes a number of miscellaneous provisions related to pediatric device use, breast implants, the inclusion of manufacturer identification on products, electronic labeling and registration by manufacturers, and electronic posting of Class II devices exempt from 510(k)-notice requirements by FDA. In addition, the law makes permanent the "intended use" provision enacted in 1997 as part of FDAMA. This provision was scheduled to expire this year. It applies to FDA's determinations of the intended use of a device, for the purpose of determining substantial equivalence to a legally marketed product. It requires that such determinations be based on the proposed labeling submitted in the applicant's 510(k) notice, rather than "implied intended uses" asserted by the agency. Finally, the new law extends FDA's existing authority to allow accredited third parties to review some premarket notifications until October 1, 2007.

Edward C. Wilson Jr. is a partner in the Washington, DC–based law firm Hogan & Hartson LLP. His specialty is medical device law.

Copyright ©2003 Medical Device & Diagnostic Industry

Out with the Old, In with the New: MD&DI's New Look for 2003

Originally Published MDDI January 2003


By the time you read this page, you will have probably noticed something different about this month's issue of MD&DI. For the first time since 1997, the magazine has been completely redesigned. Even the magazine's logo, untouched since 1988, has been revamped.

Magazines must change with the times and the needs of their readers, and MD&DI is no exception. Take, for instance, the new logo. For years, readers have referred to the magazine by the abbreviation MD&DI, rather than the comprehensive but cumbersome Medical Device & Diagnostic Industry. The change reflects MD&DI's well-established role as the most familiar and accessible source of information for the industry.

Inside, the magazine has a whole new look as well. All the typefaces have been replaced. The increased readability that results from these design changes is further enhanced by a bigger page size and wider margins.

The changes within MD&DI are more than skin deep, however. In this issue, we unveil several new monthly columns. Regulatory Outlook will feature short articles on timely regulatory subjects by recognized experts in the field. Product Development Insights will offer useful tools and advice for engineers, project managers, and others involved in product development efforts. And the last page of every issue will feature Market Snapshot. Based on our annual Industry Snapshot feature in the December issue, this page will bring together key data about different market sectors in the device industry.

The enhancements to MD&DI extend beyond the printed page. Beginning with this issue, we will be making greater use of MD&DI's pages on the Medical Device Link Web site to expand the dialogue between editors, authors, and readers.

One way we will do this is with our new Author Forums. The authors of selected articles will agree to entertain on-line questions and comments from readers for one-week periods. The time frame for each participating author is indicated at the end of each article. To locate and take part in the forums, visit and click on the Author Forums link.

Another way MD&DI will extend its mission into the Internet will be through twice-monthly e-mail newsletters. These will include recaps of recent industry news, previews of upcoming articles, exclusive interviews with authors and newsmakers, and insights into business and regulatory issues. Subscribers who have already provided us with their e-mail addresses will automatically receive the newsletters (along with instructions on how to opt-out of future mailings, if desired). If you haven't given us an e-mail address, or if it has changed, you can sign up for the newsletters at

Just as the Internet is revolutionizing the way readers interact with authors, so it is transforming the way they reach advertisers. In response to expectations of speed and immediacy, we have eliminated reader service numbers from ads and product reports alike. In their place, we have listed Web addresses or other direct-contact information in the index to advertisers and at the end of each product report.

Look for further refinements throughout the year. We welcome your feedback, and will be incorporating it into future issues. Like the industry it serves, MD&DI is committed to continuous improvement.

The Editors

Copyright ©2003 Medical Device & Diagnostic Industry

Leadership—by the Numbers

Is Your Human Factors Program Ready for FDA Scrutiny?

Originally Published MDDI January 2003


For the agency, human factors is more than a buzzword. Manufacturers lacking a comprehensive approach to user-centered design are likely to find this out firsthand.

Michael E. Wiklund

Discuss this article on-line!
Share your comments and questions with the author and other readers in MD&DI's Author Forums.

Manufacturers planning to bring a medical device to the U.S. market should ask themselves the following questions: "Are we ready for FDA to inspect our human factors program? Will our user-interface designs and related test data easily navigate the premarket review process?" How a company answers these queries will reveal a great deal about its likely success in dealing with FDA and appealing to the marketplace.

If the answers are an honest yes, this is probably a company that has made a deliberate and thoughtful investment in a human factors program. It is likely to encounter few problems with FDA, at least with respect to human factors design, and can expect to enjoy a competitive advantage in the marketplace.

If the answers are no, or even maybe, the company may be in for trouble. This may be a company that has paid too little attention to the regulation requiring companies to utilize a systematic design process in the course of product development. As a result, it may have left itself open both to trouble with FDA and to liability claims related to use error.


Since June 1997, the FDA quality system regulation's design controls section has required manufacturers of Class II and Class III medical devices (along with certain Class I devices) to demonstrate adherence to good design practices. According to FDA human factors scientists Pete Carstensen and Dick Sawyer, the critical language with respect to human factors is including the needs of the user and patient. FDA's objective is to improve the quality of user-interface design in order to reasonably minimize the incidence of use errors that could cause patient injury or death. Examples of common use errors include placing a device on the wrong setting, misprogramming its automated behavior, or improperly connecting its components.

In the ensuing five years, many manufacturers have responded positively to the requirement by establishing robust human factors programs. Others have been less responsive. Their hesitance may be due to a lack of technical understanding or to a lack of commitment—whether philosophical, financial, or both—to setting up an effective human factors program. Some companies seem to be taking a wait-and-see approach, unsure how serious FDA is about enforcing its human factors mandate.

Along with the Association for the Advancement of Medical Instrumentation (AAMI), FDA has taken steps to address these barriers, through education, standards development, and enforcement measures. In 2001, AAMI sought to improve the level of understanding of the new regulations among manufacturers by publishing a new national standard entitled AAMI HE74:2001 Human Factors Engineering of Medical Devices. This new standard replaces in part AAMI HE48: 1993 Human Factors Engineering Guidelines and Preferred Practices for the Design of Medical Devices.

Endorsed by FDA, the standard delineates the appropriate steps toward producing a user-friendly and error-resistant design. It acknowledges that human factors research, design, modeling, and testing activities should be scaled to match the complexity of the device and its manner of use. As such, a hemodialysis machine would probably warrant a more substantial investment than a pulse oximeter, due to the extent of user interactions and the opportunity for detrimental use errors.

FDA is increasingly holding manufacturers accountable to its human factors expectations through field inspections, product reviews, and postmarket surveillance. The agency's human factors specialists speak passionately and often about protecting the public against products with human factors shortcomings. At industry conferences and sponsored workshops, they cite numerous examples of patient injury and death attributable to user-interface design flaws. The agency points to the design processes described in AAMI HE74:2001 as an important part of the solution. They also rattle the saber a bit, noting that FDA now has the regulatory responsibility to take action in cases of bad user-interface design.

Field Inspections

Every facility inspection by FDA brings with it a chance that field investigators will ask to see evidence of the company's human factors program. Depending on the situation, field investigators may ask to review examples of human factors analyses and tests associated with products already on the market or currently under development. In such cases, manufacturers should be prepared to open up their design history files, which might include the following items:

  • Human factors program plan.
  • User research reports and videotapes.
  • Task analysis report.
  • User requirements specification.
  • Conceptual, preliminary, and final design drawings and descriptions.
  • Computer-based prototype software files.
  • Usability test reports and videotapes.
  • User-interface style guide.

Field investigators may also ask to meet the company's human factors specialists, who may be formally trained staff, professionals in related disciplines who learned human factors on the job, or consultants.

Notably, few if any of FDA's field staff have hands-on experience or degrees in human factors or even related disciplines, such as psychology or industrial design. To some extent, this limits their ability to identify subtle issues related to the design process and user-interface design. However, the agency provides its field staff with basic human factors training and background materials to distinguish a good human factors program from a bad one, assuming one exists at all. If an investigator finds cause for concern, he or she may investigate the matter more deeply, drawing support from the agency's experts as needed. Thus, field inspectors will at least catch gross human factors deficiencies.

If a company is unable to demonstrate proper attention to human factors, FDA is empowered to issue a warning letter, a uniformly dreaded outcome among medical device developers. Warning letters give manufacturers a deadline to correct documented problems before the agency imposes a severe penalty.

Carstensen spearheads the agency's human factors efforts. He says that a company can be written up for not having the necessary design controls in place, even if the device appears to have a good user interface. The company must have a design control process in place—one that includes the required human factors steps, he says. Sawyer points out that device developers must verify the match between design inputs (users' needs identified through research) and design outputs (specific user-interface design characteristics).

Premarket Reviews

FDA has asked many companies that are seeking premarket clearance for their products to supplement their applications with additional proof that the device can be used safely by typical users working under the normal range of use conditions. Such proof often includes findings from evaluations of device operation conducted early in the design process using relevant use scenarios, effectively requiring usability tests of computer-simulated or working prototypes. And of course, discovering design deficiencies in a prototype will save the manufacturer the money and time that might be spent redesigning a production model.

The rigor of a human factors review is proportionate to the complexity of the device's user interface and the potential for deleterious use errors. According to Carstensen, reviewers may flag a particular product as having a relatively complicated user interface, perhaps because it has numerous controls or unusual interaction mechanisms. In such a case, the reviewer may contact CDRH's human factors group, and a staff member will be assigned to the review team. He or she will perform a more-intensive analysis that pays particular attention to submission materials related to hazards, use errors, design requirements, design features, and user instructions. In more-focused reviews, FDA staff seek answers to basic questions, such as the following:

  • Does the device adhere to basic human factors design principles?
  • Does the device preclude use errors that could lead to patient injury or death?
  • Has the manufacturer tested the user interface with representative users to demonstrate its operability?

Review of a device's human factors aspects may raise concerns about specific features. For example, the reviewers may be concerned about the design of the imbedded alarm system or cable connections to peripheral devices. They may question whether users will be able to hear a high-pitched alarm tone, noting that older men suffer a predictable degradation in their ability to hear high-pitched sounds. Or they may be concerned about whether the device's cable connections provide sufficient tactile feedback to confirm that the connection is complete and secure.

Considerable attention is focused on usability test reports because many usability problems become evident only when representative users perform representative tasks. For example, the task of programming a single-channel infusion pump may seem logical according to a flow diagram. However, users may struggle to perform the task correctly, even after receiving training, due to the need to convert units of measure as part of a complicated dose calculation. This kind of problem could lead to an accidental patient overdose, but it is difficult to spot on a paper review. Therefore, FDA looks to manufacturers to conduct rigorous, dynamic usability tests to reveal such problems.

In fact, a glance at FDA's human factors guidance documents or the Web page reveals the agency's view that usability testing is the cornerstone of any human factors program. FDA's human factors team strongly encourages manufacturers to invest in a series of usability tests during the course of product development in order to make the product review process go more smoothly.

Postmarket Investigations

Occasionally, the agency's human factors staff may be called upon by the agency's Office of Surveillance and Biometrics to evaluate the human factors suitability of a device involved in an incident leading to a patient injury or death. In the past, they have scrutinized various catheters, glucose meters, infant apnea monitors, ventilators, infusion devices, and many other devices involved in multiple incidents.

According to Carstensen, these human factors reviews typically begin with an ad hoc meeting to discuss the given incident as well as concerns about the device's design. The discussion may escalate to include follow-up design analyses by FDA's human factors experts and a request for the manufacturer to conduct studies to address a specific concern. A particularly severe problem could trigger a device recall. However, according to Sawyer, "In the case of an obvious and serious user-interface deficiency, manufacturers often will be the first to recognize a problem and take necessary corrective and preventive actions on their own."

International Perspective

Recent changes to the good manufacturing practice regulations and AAMI HE74:2001 establish a clear mandate for U.S. medical device companies to focus on human factors. But many companies first introduce their products in Europe in order to accelerate market entry and build a base of clinical experience. What are the expectations abroad? Are the requirements significantly different?

In fact, the expectations are quite similar. For starters, the International Electrotechnical Commission is expected to incorporate an adapted version of AAMI HE74:2001 as a collateral standard to IEC 60601: IEC 60601-1-6, Edition 1, medical electrical equipmentPart 1-6: General requirements for safetyCollateral standard: Usability (currently under development, second draft circulated for comment in July 2002). Therefore, organizations such as TÜV, which evaluate medical devices against applicable standards, will also be seeking evidence of good human factors design.


Who should care about human factors? Certainly, any quality-conscious engineer or designer should. User interfaces are a particularly visible sign of design excellence and warrant close attention from the technical staff. Marketers should also be concerned. More than ever before, customers are able to distinguish good user interfaces from bad ones and choose to purchase devices with good ones.

But it is top management and the staff in a firm's regulatory affairs department that hold the final responsibility for demonstrating a good faith response to FDA's mandate. In the absence of such a response, not only is FDA regulatory action a real possibility, but marketing problems and liability concerns could arise as well. Michael E. Wiklund is vice president, human factors/usability engineering, at the American Institutes for Research. He is a frequent contributor to MD&DI.

The author will be responding to questions and comments about this article in MD&DI's Author Forums during the week beginning February 3, 2003. Visit and select the Author Forums link.

Copyright ©2003 Medical Device & Diagnostic Industry

Defibrillators Moving into the Home

Originally Published MDDI January 2003


Gregg Nighswonger

FDA has cleared the first of a new generation of AEDs intended for home use.
(click to enlarge)

It has been more than two years since legislation was passed to require increased public access to automated external defibrillators (AEDs). More than 40,000 AEDs have been deployed in public places, such as police cars, hotels, sports arenas, high schools, and manufacturing plants. In fact, the Federal Aviation Administration has ruled that U.S. airlines must carry AEDs. Last November, 62-year-old Michael Tighe became the first airline passenger on a domestic flight to have his life saved by an onboard AED.

Use of such devices is widely viewed as being critical to increasing survival rates. The American Heart Association, for example, suggests that as many as 50,000 lives could be saved each year if communities could achieve a 20% cardiac arrest survival rate.

Now, the lifesaving devices are being made available to those who want the ability to respond to incidents of cardiac arrest within the home, where some studies have shown 70% or more of cardiac arrests happen.

In November, FDA cleared the HeartStart Home Defibrillator, manufactured by Royal Philips Electronics (Best, Netherlands). According to Philips, the device is "the first of a new generation of defibrillators designed specifically for the home." According to Deborah DiSanzo, vice president and general manager for cardiac resuscitation at Philips Medical Systems, "The HeartStart Home Defibrillator was carefully designed to help people of various ages and abilities use the technology successfully when faced with an emergency situation. We believe that the HeartStart Home Defibrillator allows Philips to extend the ability to help save a life to this newest group of responders."

Jeoffrey K. Stross, MD, professor of internal medicine at the University of Michigan Medical Center (Ann Arbor, MI), says "Defibrillator technology has evolved significantly during the last several decades, resulting in automated devices that are intuitive, simple to operate, portable, easy to maintain, and relatively inexpensive." He adds that technology improvements have allowed defibrillators to be distributed through public access defibrillation (PAD) programs. Such programs, says Stross, "make the devices available to trained and targeted responders such as firefighters, police officers, flight attendants, corporate emergency response teams, and even the general public. Because most cardiac arrests occur in the home, defibrillators designed for home use have the potential to complement and extend the progress of PAD programs in improving SCA survival outcomes."

Stross cites studies that have demonstrated the ease of use of these new-generation defibrillators. "During mock cardiac arrests," says Stross, "sixth-grade children delivered shock therapy with an AED with only modestly slower rates than emergency medical technicians and paramedics (90 seconds vs. 67 seconds)." He explains that none of the children touched the pads or the mannequins during shock delivery, demonstrating that the devices were easy to use. Stross adds that additional data suggest that "laypersons aged 60 and older can successfully operate an AED after watching a short instructional video."

Copyright ©2003 Medical Device & Diagnostic Industry

Developing Safety-Conscious Software for Medical Devices

Originally Published MDDI January 2003


To protect both the user and patient, medical device developers must pay strict attention to the safety of a device's software. Risk-mitigated software design is crucial.

Timothy Cuff and Steven Nelson

In the medical device industry, the software used to control a device takes on an additional role: it must help ensure the safety of the user and patient. This important requirement is not particularly easy to meet, however. Challenges to safe software implementation include microprocessor-oriented controls architecture, limited higher-order language support for the microprocessor (often C language only, or limited C implementation), the limited functionality of the medical device, and pressure to keep product costs down.

Consequently, the software design phase must include a deliberate and rigorous risk-mitigation process. In this context, the software's design should be a natural by-product of risk analysis and mitigation. Software design must incorporate risk-mitigation strategies from the onset of the project, while simultaneously addressing potential device failures introduced by the software itself.

Risk Mitigation: The Basics

Risk-mitigation techniques should be incorporated into the development of any engineered product. A design team has an ethical responsibility to make sure that any potential safety hazards are balanced by expected product benefits. The good news is that properly applying risk-mitigation techniques is more than just another burden borne by the project team. When employed intelligently, risk mitigation helps the team design a better product using fewer development resources. By identifying potential risk early in the design process, the team will spend less time and money solving problems than if it had waited.

Tailored Risk Mitigation. A preferred risk-mitigation approach is one that recognizes the different levels of evaluation necessary for each product. The overall process is the same for most projects, but the degree to which the analysis is conducted varies in accordance with the degree of potential danger the product presents. The determination of the required degree of analysis is arrived at through an agreement between the client and the project team, and is ultimately driven by the results of the risk-mitigation process itself. The tailored risk-mitigation approach is a process-driven, ongoing effort, updated at appropriate points in the project to ensure the design team is following the correct course.

Project Hazard Analysis. The first line of risk mitigation is product hazard analysis (PHA). Starting with such general potential hazards as user injury or product failure, PHA identifies failures that could cause a hazard and attaches a likelihood value to each. The goal is to identify and rank specific failures based on their likelihood values, so that the design team can appropriately focus on those requiring attention. PHA starts early in the design life cycle, roughly concurrent with the first attempt at product specification. Any significant risks identified by PHA are used to generate product requirements and specifications used by the design team to develop the product. The PHA document is updated as necessary throughout the early phases of the development process.

Failure Mode and Effects Analysis. Once the design has reached the point where key systems are defined and the product is ready for more-detailed design, a second risk-analysis technique comes into play: failure mode and effects analysis (FMEA). Because sufficient information about how the product works is available at this point, the team can examine each design element to define what might occur should it fail. This bottom-up approach complements the top-down PHA to provide the project team with a comprehensive examination of the product's potential safety-related issues. As with PHA, FMEA can generate product specifications to guide the development team.

Software Safety Assessment. The software safety assessment (SSA) is a subset of the product risk analysis. It can be included as part of the PHA and FMEA or isolated as a separate document. Generally, a product with a significant software component will have a separate SSA and associated software requirements specification. The SSA addresses those product aspects to which software can pose a potential hazard or mitigate the effects of such a hazard. Often, the SSA affects decisions about hardware and software architecture.

Testing. After the risk-mitigation analyses results have been used to define the product specifications, the resulting product must be tested to determine how well the design team has met those specifications. Qualification tests are linked to each of the design specifications to demonstrate the ability of the product to meet them. For complex software, the testing can extend beyond simple tests that define a series of steps and an expected outcome. More- subjective examinations, such as code reviews, are often necessary to determine adequately the ability of the product to meet its software specifications. In such cases, it is important to make sure that staff members who were not on the development team are brought into this part of the review. These integral new team members might come from internal staff working on other teams, the client company, or other outside sources.

Risk assessment and mitigation are a significant part of the development of any medical device and its software. Only by adopting a comprehensive approach and adhering to its requirements can a safe product be developed.

Software Design Guidance

As the system architecture develops, the proper instrumentation and sensor suite is needed so the hardware and software integration complement one another. This approach reduces risk. Without proper instrumentation, the software has no mechanism for detecting system behavior; the program proceeds with control based only on intent and inference.

Software produces commands for hardware. After hardware has been commanded, the software infers that the hardware is behaving as expected. If a hardware element can contribute to a hazard, then feedback is necessary to explicitly monitor the commanded behavior. In the absence of so-called real-world feedback, control software must infer the status of hardware—it cannot do otherwise. This inference of operation tends to increase the risk of operational hazards.

Sensors overcome this shortcoming. They allow a device's software to tap into the "real world" and receive information and feedback. Through the use of sensors, safe software detects whether its operation conforms to reality, instead of being deceived by spurious sensor inputs or simply "dreaming" (inferring) that correct operation is occurring. These circumstances can be likened to doctors performing surgery: one is fully informed of all conditions; the others are misled or simply dreaming. If the software detects deception or dreaming, it should always indicate a fault. One option is to cease operation upon fault detection, but this isn't feasible in applications that require degraded but continuing operation.

An insidious example of operation inference occurs when the application must measure time. Hardware (and people) always experience time, but software knows about the passage of time only when some "tick" event occurs, say, every millisecond. If the hardware or software hook responsible for producing that tick is absent, late, or of an incorrect interval, then the software does not correspond with reality—the logic does not realize that too much time, too little time, or even any time has passed. Consequently, any time-based calculations would be incorrect, and therefore, a potential cause of user or patient harm. Two possible approaches to avoiding this type of problem are deliberate comparison of clock values within the code, and using multiple independently operated clocks, since it is unlikely that both clocks will fail.

Installing a Watchdog Timer. A watchdog timer is a device that directs the microprocessor and hardware operation to a known safe state in the event of an outright software failure. Depending on the specific microprocessor operation, software failure manifests itself in different ways. For example, it might create runaway tasks, interrupt enabled-but-without-foreground tasks, or come to a total halt. Regardless of the software failure mode, real-time hardware control ceases in the event of a software failure.

A watchdog timer has two basic elements: a reset mechanism and a reset block. Typically, a time-out value is specified for the watchdog, and specific hardware circuitry counts down this value unless it is reset. Should the watchdog detect a timeout, the processor is reset or directed to a fail-safe state. Application code periodically "pets" the watchdog to essentially rouse it and block the timeout.

Planning for Deliberate Programming Practices. Although not driven directly by the hazard analysis, some software disciplines, such as object-orient techniques, can improve the implementation.

Whether fully supported by a programming language or not, the use of "classes" or "objects" will aid software implementation. A class is a software component that functions as a black box. The class performs a specific set of functions, and other software elements (clients) make use of these functions. The implementation details of the class are solely within the class itself. Clients of the class may only employ the functionality by using the interface structure of the class.

Data hiding and private functions are two techniques that implement these features. An object-oriented implementation will force a software developer to create well-defined and strongly typed interfaces between software components. Data hiding is a technique that limits access to data, and private functions hide the implementation details within the object itself. Objects can be altered only through their public functions and data. These interfaces limit what effect objects are allowed to have on each other.

The design intention is to limit code interdependencies. When software modules are overly interdependent, the design intent can be difficult to understand. When code is difficult to understand, it becomes difficult to develop and maintain—with a potential side effect of the code not operating as intended.

Establishing Low Cyclomatic Complexity and Modularity. Cyclomatic complexity measures the level of difficulty inherent in understanding and verifying a software component's design or implementation. The degree of complication is determined by such factors as the number and intricacy of interfaces, the number and intricacy of conditional branches, the degree of nesting, and the types of data structures present.

Overly complex software components cannot be tested. These modules are prone to unintended operation, since the full suite of functionality cannot be verified. Future maintenance of such software components carries a high degree of risk.

Ensuring Data Integrity. Data integrity refers to whether numbers stored in variables are altered only as intended by the programmer.

Variables can have an effect on patient safety, and for that reason must be guarded against unintended changes. State variables are an example of one type of safety-critical data. Variables can be unintentionally altered through the physical medium (either RAM or EEPROM, electrically erasable programmable read-only memory), stuck bits (which occur when a binary digit is stuck on or off), or by other means, such as overstepping array bounds or a wandering stack pointer. The software designer needs to distinguish between the improbable and the impossible. Many of these occurrences seem unlikely, perhaps even highly improbable, but they are not impossible.

The software architecture bears the burden of explicitly monitoring safety-critical data to ensure that the data has not been corrupted. To this end, a deliberate read-and-write strategy is required. The read component of the strategy must provide an explicit means for detecting data corruption. The write component must provide a repeatable and consistent method that complements the corruption-detection scheme. In the interest of modularity, these features can be encapsulated into a single class.

Several strategies can be called upon to monitor data corruption:

  • Storing a backup or complementary form of each safety-critical variable (and then checking data against it every time) in the application's main loop.
  • Making an inverted backup copy, which is similar to a standard backup copy except a 1's complement is stored as backup.
  • Using a cyclic redundancy code (CRC) or checksum for stable variable sets. (In EEPROM/Flash, safety-critical variables are also compared to a checksum stored in EEPROM.) The CRC is by far the highest-fidelity method; however, CRC usage is not without risk. To lessen risk, the CRC must be sized appropriately for the data it will monitor. The CRC also carries a significant computational overhead that may push the limits of processing in the microprocessor environment.

Ensuring Calculation and Algorithm Integrity. In this context, algorithms and calculations are used to convert a real-world representation to a machine-oriented representation. For example, if a stepper motor will cause a movement of some distance, the distance will be converted to a number of step pulses and some number of feedback pulses via an encoder.

Ultimately, an algorithm yields one or more calculations. The mechanization of the calculation must be analyzed, especially when multiple steps are involved. As a software compiler works through the source code, he or she may use intermediate "pseudovariables." Unintended rounding or truncation may result.

The software designer must perform rigorous developmental testing to ensure that under- or overflow and nominal values in the various input terms yield the expected results. When a variable overflows, its value decreases—like an odometer on a car driven many thousands of miles.

It is possible that the codified calculation may need additional explicit steps to avoid unintentional compiler influences. Never sacrifice proper functionality in the name of code elegance: the code must work properly, not look nice.

Software Implementation Guidance

Naming Variables. A naming convention provides a by-inspection check that numbers are treated in logical ways. The preferred convention specifies both variable type and physical units.

Specifying a variable type (for example, in C, using "int," "unsigned int," "long," "char", etc.) provides a safeguard against unintentionally altering a value through variable truncation (downcasting) or assigning a signed type to an unsigned type. (Negative numbers will not translate as expected.)

Similarly, the physical unit shows where units might be mixed in a calculation. The equation Density_g/cm3 = Mass_g/Volume_cm3, which specifies units of measurement, is safer than Density = Mass/Volume, which does not. In the latter equation, the programmer would need to look up the units of measurement for each variable and ensure consistent variable usage.

Initialization. In most programming languages, allocating space for a variable means that the variable is assigned to a piece of memory, which has a random value. To prevent random behavior as a result of acting on uninitialized variables, the variables should always be set to a specific value before their initial use. This programming practice becomes mandatory when the goal is to make software safe.

Range Checking. Most languages do not perform range checking on arrays. This might mean no warning sound is emitted if the code accesses the sixth element of an array that has only five elements, for example. If read, that sixth element will essentially return a random value; if written, that element will likely corrupt at least one other variable, resulting in unexpected behavior. Like initialization, range checking is a good programming practice that should be elevated to a mandatory practice.

Filling Unused ROM. Finally, it is important to note that unused memory should be filled with an instruction that causes a transition to a known safe state. Unused ROM without specific and deliberate values may contain random numbers. If these memory locations are used (however improbable that is), unpredictable behavior ensues.

Safety from the Start

The medical device industry can settle for no less than the highest levels of safety and quality—and the software design should reflect the same standards. Deliberate engineering practices must be applied from the onset of the software design process to reduce software complexity for a safer overall system.

Risk mitigation must be an active and continuous engineering activity performed throughout the development of the device. It must influence all aspects of design, including preliminary design (top-down), detailed design (bottom-up), and the formulation of testing strategy as applied to the software product. A proper hardware sensor suite should always be in place to accurately measure the behaviors of the device. The software design should mandate that data and algorithms be monitored at all times for computational integrity and corruption detection.

Through ensuring that each of these precautions is taken, safety-conscious software can be successfully achieved.

Timothy Cuff and Steven Nelson are senior research scientists in product development at Battelle Memorial Institute (Columbus, OH). The authors acknowledge the contributions of Clark Fortney and Jeffrey Keip, both of Battelle Memorial Institute.

Copyright ©2003 Medical Device & Diagnostic Industry