The new article describes in detail the process of determining whether computer software used in the context of medical device manufacturing processes should be subject to validation.
The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to computer software assurance for production and quality system software. The document is intended to provide additional clarifications regarding the applicable regulatory requirements, as well as recommendations to be considered by medical device manufacturers and other parties involved to ensure compliance thereto. At the same time, provisions of the guidance are non-binding and are not intended to introduce new rules or impose new obligations. Moreover, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the underlying legislation and has been agreed with the authority in advance.
In particular, the document describes the approach to be applied concerning the software used in the course of the medical device manufacturing process. By virtue of the guidance, the authority explains the measures to be taken to ensure the said software operates as intended since it could impact the quality of the medical devices manufactured.
Computer Software Assurance: Basics
According to the guidance, computer software assurance stands for a risk-based approach for establishing and maintaining confidence that software is fit for its intended use; this approach considers the risk of compromised safety and/or quality of the device (should the software fail to perform as intended) to determine the level of assurance effort and activities appropriate to establish confidence in the software. The authority also mentions that computer software assurance follows the least burdensome approach introduced to reduce the unneeded regulatory burden the parties involved may face. In such a way, the resources could be used most efficiently while ensuring the proper quality of medical devices placed on the market.
As further explained by the FDA, computer software assurance establishes and maintains that the software used in production or the quality system is in a state of control through its lifecycle (“validated state”). The authority mentions that nowadays the manufacturing processes employed by medical device manufacturers depend significantly on the computer systems used to control the processes, analyze the data related thereto, and also notify responsible personnel in case of any issues. Thus, medical device manufacturers should apply a risk-based approach when conducting computer software assurance to maintain the validated state as required under the applicable regulations.
The software used in the manufacturing process is deemed to fit its intended use in case it ensures the final medical devices manufactured to meet the appropriate specifications and are compliant with the respective regulatory requirements such devices are subject to.
The document further describes in detail the computer software assurance risk framework and provides examples demonstrating the way it should be applied.
Under the general rule, as set forth by 21 CFR 820.70(i), medical device manufacturers are responsible for validating the software they use in the course of the manufacturing process, including the production itself, or the quality system. When determining whether a specific software is subject to validation, the intended use of such software is to be considered. According to the guidance, software used by medical device manufacturers could be divided into the following categories:
- Software that is used directly as part of production or the quality system, and
- Software that supports production or the quality system.
As further explained by the FDA, the first category applies to the software that is used in the context of automation of manufacturing processes, as well as inspection or testing. This category also applies to the software used for automating quality system processes or maintaining the records related to the QS regulation.
At the same time, the second category covers the software used as a development tool concerning the software directly used in the manufacturing processes, and also the software used for automating general record-keeping, while it is not related to the quality record.
It is important to mention that according to the guidance, both categories of the software described herein above are subject to validation, even though the approach to be applied for the software used to support operations could be less rigorous due to the relatively low risks associated thereto.
The authority further outlines the categories of the software which fall outside the scope of validation requirements since it is not considered to be used as part of production or the quality system. In particular, this is related to:
- Software intended for management of general business processes or operations, such as email or accounting applications; and
- Software intended for establishing or supporting infrastructure not specific to production or the quality system, such as networking or continuity of operations.
The authority acknowledges the complexity of the software used in medical device manufacturing processes due to the numerous functions and features such software usually has. Thus, such software could have multiple intended uses. In such cases, the risks related to such functions could be different as well and would require a differentiated approach. The authority further encourages medical device manufacturers to examine the intended uses of the individual features, functions, and operations to facilitate the development of a risk-based assurance strategy. For instance, different activities could be performed to address separate functions.
In summary, the present guidance describes the approach to be applied when determining the regulatory status of the software used in manufacturing processes and whether it should be subject to validation under the applicable regulatory requirements. The authority highlights the key points to be taken into consideration when making such a determination, and also provides additional clarifications regarding the categories computer software could be divided into.
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.