So I want to compare the regulatory process it takes to write software for a medical device compared to a voting machine. A thread:
-
-
Everything that's done is done at the discretion of the manufacturer. Maybe there's some state regulations out there, but I don't know any.
-
If you want to copy patient data off a medical device using a thumb drive, HIPAA regs require you to have a destruction plan for that drive.
-
For voting machines, it just gets copied to a laptop, whatevs.
-
If you're like, "wow, that seems like there's a lot of potential failure modes" then indeed you are correct.
-
In my precinct, I fill in a scantron thingy. Except it's not really a scantron, it's like a printed word doc. And the machine eats it.
-
Does it get my vote right? Is it robust to dirty fingerprints and pen colors and creases in the paper? ¯\_(ツ)_/¯
-
Can I look up a database and see failures and recalls? ¯\_(ツ)_/¯
-
.
@Slestac points me to this: https://www.eac.gov/testing_and_certification/testing_and_certification_program.aspx … This exists as a certification effort, but seems to lack the FDA's teeth. -
To be clear: industry standards are not enough in high-risk devices. Regulatory oversight by a congressionally-empowered agency is needed.
-
This document contains all state regulations: https://www.eac.gov/assets/1/Page/State%20Requirements%20and%20the%20Federal%20Voting%20System%20Testing%20and%20Certification%20Program.pdf … Most back-trace to federal *certification* requirements.
End of conversation
New conversation -
-
-
not criticizing, but https://www.eac.gov/testing_and_certification/ … is something that voting system companies go through. It's expensive and
-
requires adherence to VVSG standards, which include code history, reviews, style guides, etc
-
and that's just at the federal level. Some states have additional certification requirements that manufacturers must meet.
-
But is this statutorily required?
-
And overseen by a congressionally-empowered agency?
-
sorry, I didn't get that far into that side of things. VVSG cert is a big driver in this industry.
-
Definitely. It's one of those "free market managing its own standards" things that can sometimes work.
End of conversation
New conversation -
-
-
sadly code reviews are not mandatory for all medical software. Process compliance and history is what FDA focus on.
-
It depends on the device classification, level of concern, and whether the device is cGMP exempt, yeah. It's complicated. /shrug
End of conversation
New conversation -
-
-
been frightened of this for years. No excuse except “shenanigans”
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.