Re: Certifications for Medical Devices
I work on pharmacovigilance software, and this is essentially correct. You're describing the requirements for validation.
You *can* update the state of the device. You can patch the OS. You can update the code. *But* if you do so, you have to revalidate it with the new configuration - basically, produce a whole metric craptonne (it's 10% bigger than an Imperial crapton) of documentation that the device, with its new configuration, still meets its formal specifications. This can be done by either the manufacturer, or the user, but it *does* have to be done to comply with medical regulations. It's a royal pain.
There's nothing preventing you from making the software open source, but the issue is that you can't just update it at random and remain in compliance.