Risky Business: FDA Trots Out Risk-Based Framework For Validating Software For Quality Systems, Device Production

Sep 13, 2022 | News

image of doctor's hand using medical softwareManufacturers would apply a risk-based approach to validating software used in quality systems and the production of medical devices under a new proposed guidance document from the U.S. Food and Drug Administration (FDA).

Dated Sept. 13, the 25-page draft doc, “Computer Software Assurance for Production and Quality System Software,” describes a risk framework companies can use as they attempt to satisfy the agency’s expectations around software validation for automated data processing systems and computers.

Such validation activities have traditionally been relegated to software testing, but the FDA says in its draft that standalone testing is “often insufficient to establish confidence that the software is fit for its intended use.”

Using a risk-based approach, the agency says, will “better focus manufacturers’ assurance activities to help ensure product quality” while helping device makers meet validation requirements found in the FDA’s Quality System Regulation under 21 CFR, Part 820.70(i), “Production and Process Controls: Automated Processes.”

The FDA adds that recommendations it gives in the draft guidance “will help foster the adoption and use of innovative technologies” when companies make devices and assist manufacturers as they work to “keep pace with the dynamic, rapidly changing technology landscape, while promoting compliance with laws and regulations implemented by FDA.”

When finalized, the guidance will supplement a separate 2002 guidance document, “General Principles of Software Validation.” The agency stresses, however, that its new draft doc doesn’t apply to Software as a Medical Device (SaMD) or Software in a Medical Device (SiMD).

“By allowing manufacturers to leverage principles such as risk-based testing, unscripted testing, continuous performance monitoring and data monitoring, as well as validation activities performed by other entities [such as developers and suppliers], the computer software assurance approach provides flexibility and agility” for ensuring a validated state, the agency says in its draft.

FDA: Not All Software (Or Risk) Is Alike

The proposed guidance splits software into two buckets: software used directly for device production and quality systems that demand an elevated level of risk scrutiny, and supporting role software that require less.

When conducting a risk assessment, the doc says, device makers would be wise to determine which risks are likely to happen and which aren’t. It further explains that high-process risks are those that could lead to quality troubles and poor product safety, while lower-process ones wouldn’t.

While both types of risk should be addressed, the FDA says it’s “primarily concerned with the review and assurance for those software features, functions and operations that are high-process risk because a failure also poses a medical device risk.”

“For high-risk software features, functions and operations, manufacturers may choose to consider more rigor such as the use of scripted testing or limited scripted testing, as appropriate, when determining their assurance activities,” the draft guidance explains. On the flip side, companies could use less rigorous approaches, such as ad-hoc testing, error-guessing, exploratory testing, “or a combination of methods,” for features, functions and operations that are of lower risk.

“Manufacturers are responsible for determining the appropriate assurance activities for ensuring the software features, functions or operations maintain a validated state,” the FDA says, noting that device makers have wiggle room when selecting a validation test – or tests – that works best for them.

But no matter which path followed, firms should document their activities. Records “need not include more evidence than necessary to show that the software, feature, function or operation performs as intended for the risk identified,” the draft says. “FDA recommends the record retain sufficient details of the assurance activity to serve as a baseline for improvements or as a reference point if issues occur.”

The draft, which is rife with examples to aid manufacturers as they work to comply with agency expectations, is out for stakeholder comment through Nov. 22 at Regulations.gov.

In the meantime, don’t let the tricky business of software validation trip up your device firm. MEDIcept’s team of experts can ensure you’re in compliance with 21 CFR, Part 820.70(i) and validate all required software systems. We’ll also help your company develop a Software Master File that’s second to none.

Learn more by visiting www.medicept.com or emailing mediceptsales@medicept.com.

MEDIcept … Trusted Solutions, Rapid Response …

 

About Us

MEDIcept is an international consulting firm offering a full portfolio of services to the medical device and IVD industry. For over 25 years, our unique consulting practice and multidisciplinary team of former FDA, Notified Body, and industry experts have assisted hundreds of companies of all sizes with innovative, compliant, trusted, and cost-effective Regulatory, Quality, Clinical, and Engineering solutions.

For additional information, please contact Susan Reilly at SReilly@MEDIcept.com.