Episode 24 · May 27, 2025 · 26m listen · 3,496 words · ~17 min read
Essential Software Documentation for Med Device Manufacturers | Ep. 21 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 24 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of the Med Device Cyber Podcast, hosts Trevor Slattery and Christian Espinosa of Blue Goat Cyber delve into the critical, yet often neglected, topic of software documentation for medical devices. They argue that while cybersecurity is gaining attention in the product development lifecycle, the foundational software documentation required for both regulatory submissions and effective security implementation frequently lags behind. The discussion highlights a common scenario where manufacturers approach their FDA submission deadline (for a 510(k), PMA, etc.) only to realize they lack the necessary documents, such as a System Requirements Specification (SRS) or a comprehensive data flow diagram, which are essential for creating the required cybersecurity artifacts.
The hosts frame the conversation around the international standard IEC 62304, which outlines the software development lifecycle processes for medical devices. They explain that the standard's documentation requirements scale with the device's complexity and risk classification. A high-risk, Class III implantable device like a pacemaker will demand far more rigorous documentation than a lower-risk Class II device. Slattery and Espinosa emphasize that this documentation is not merely a bureaucratic hurdle for the FDA but a cornerstone of good engineering practice. It ensures the device is maintainable, traceable, and understandable to new developers or team members. They share anecdotes of clients lacking even basic diagrams, which complicates the entire development and security assessment process.
The main argument presented is that robust documentation practices must be integrated from the very beginning of the development process. Key documents they identify as top priority include the SRS (detailing functional and non-functional requirements), architectural diagrams, and data flow diagrams (which the FDA also terms the "global system view"). They stress the importance of documenting everything, including physical ports or wireless interfaces that are disabled, as undocumented components can introduce unforeseen risks and cause confusion for both security assessors and end-users. Ultimately, they conclude that thorough documentation is indispensable for building a secure and high-quality medical device, making the regulatory journey smoother and the final product safer for patients.
Key takeaways from this episode
Comprehensive software documentation is a critical prerequisite for both successful FDA submissions and effective medical device cybersecurity, yet it is often an afterthought for manufacturers.
The international standard IEC 62304 governs the software development lifecycle for medical devices, with documentation requirements that scale according to the device's complexity and risk level.
Key documents, such as the System Requirements Specification (SRS) and data flow diagrams, are foundational for building cybersecurity artifacts and are essential for a smooth regulatory process.
Good documentation is a fundamental software engineering practice that goes beyond compliance, ensuring the product is maintainable, traceable, and understandable for future development and security assessments.
The lack of proper documentation forces cybersecurity teams and developers to reverse-engineer the device's functionality, which is inefficient and prone to error.
All components and interfaces of a device, even those that are physically present but disabled (like an unused Ethernet port), must be documented to avoid creating security gaps or user confusion.
Medical device innovators, especially those outsourcing development, must ensure their partners are not only skilled in coding but are also well-versed in the documentation standards required by regulatory bodies like the FDA.
Full episode transcript
Page 1 of 5· Paragraphs 1 - 14
Trevor: Hello and welcome to another episode of the Med Device Cyber Podcast. I'm joined here today by Christian Espinosa. How are you doing today, Christian?
Christian: I'm doing well. What are we talking about today, Trevor?
Trevor: Today we're talking about something that blends well into cybersecurity, but people kind of see it as a little bit of a different topic, and that's going to be software documentation.
Christian: Okay, so we're focused on medical device software development, the documentation required, what some of the best practices are, and how that ties into cybersecurity and how it pertains to a class two or class three device, you know, the the different complexities of the device, uh, affect the required documentation and also this ties into IEC 62304, right?
Trevor: Yep, exactly. And an issue that we run into all the time is when it's time for a 510(k) or a PMA or a De Novo or whatever submission into the FDA, manufacturers weren't really getting ready for it. Even if they get ready for their, you know, they try to account for their cybersecurity early in the process. They still have six months out before their submission. They don't have any of the software documents that are required to translate into these cybersecurity documents.
So, we want to talk about what some of the important documents to prioritize are. I'd say, you know, like the main five or six documents that should be top priority and then how that can vary depending on the device, sort of like you were mentioning.
Christian: So these documents are really required from a secure product development framework perspective or DevSecOps. And then also without these documents, it's hard for us to do our job from a cybersecurity perspective because I know we've had several clients come to us that they didn't even have like a data flow diagram. I'm not sure how they developed their software without any documentation.
Trevor: Yeah, I can think of times spent in Zoom calls where we're actively creating the documents and they're saying, 'Do you think the device does this?' or 'How should I word this best?' and so, it's it's not even just like a FDA issue or a cybersecurity issue. You want to have all this documentation ready so that, you know, you don't know who's going to be maintaining that code in the future. You don't know if you have a new hire, you don't want to spend months trying to explain how this product works. They just want to be able to read the documentation and know.
So it goes even past the complaint that we have as, you know, the cybersecurity team and branches more into just it's just good practice to have all this clear documentation for a product in general. But especially for a medical device where there can be pretty complex, there can be a lot that's going on, a lot of different connected parts, and so you don't want it to be unclear to a new developer or a new team member what's going on there.
Christian: Yeah, so what are the what are some of these top pieces of documentation?
Trevor: Well, I think we'll sort of go back to something I think you mentioned a little bit earlier, and that's IEC 62304. So, that is the golden standard for secure development of a medical device, and it's a pretty lengthy, you know, standard document. Uh, it goes into a lot of different information on what you should do for preparation and what documentation you should do, best practices for development, uh, integrating security into your development life cycle.
But one very important thing that it mentions is documentation is going to scale a little bit based on the device's complexity. And complexity can mean two different things. So, the first thing we'll talk about is just complexity, meaning is it a small system or is it a big system with a lot of stuff going on?
If you have a very big system, tons of different interconnected parts, it doesn't matter if it's a fairly low risk system, there's just going to be a lot more to document by nature of what the system is. And so in that regard, you're probably going to have a lot more documentation for this super complex analysis software that's running in the cloud with a whole bunch of agents deployed on workstations, even if it's just doing an analysis on trying to figure out if you have the common cold or something.
Um, compared to a single focus device, like let's say a... intubator. That's a much more serious device, much more critical function, but it doesn't really do much. It keeps your airway open. That's all it does. So, the documentation on what's going on in that device is likely going to be a little bit more minimal, even though it's a more complex system.