The Food and Drug Administration (FDA or the Agency), the US regulating authority responsible for healthcare products, has published a guidance document dedicated to off-the-shelf software use in medical devices.

The latest version of the document was issued in September 2019. Due to its legal nature, the FDA guidance is not intended to introduce any new rules and requirements but to provide additional clarifications and recommendations regarding applicable legislation. Moreover, the authority emphasizes that an alternative approach could be applied by the parties involved, provided such an approach complies with the applicable regulatory requirements and has been approved by the FDA in advance.

Regulatory Background 

The scope of the present FDA guidance covers the most important aspects related to off-the-shelf (OTS) Software. Such software could be used to manage general operations of medical devices while specific software components developed by the medical device manufacturer operate special functions. According to the document, the medical device manufacturer using OTS Software generally gives up software life cycle control but still bears the responsibility for the continued safe and effective performance of the medical device. 

As mentioned, the guidance is intended to provide medical device manufacturers with additional clarifications regarding the regulatory status of OTS Software and medical devices incorporating it in the context of premarket submissions. The recommendations provided in the present document should be considered in connection to the safety-related aspects and the way OTS Software impacts the patient or operator. In particular, it is necessary to assess the risks associated with OTS Software and its potential failures. These factors should also be taken into consideration when determining the scope of documentation to be submitted to the regulating authority when applying for marketing authorization for the medical devices incorporating OTS Software. It is stated that there is a basic set of documentation to be provided in all cases, while sometimes additional documentation could be needed due to certain specific features of the product subject to review. 

The document also contains references to the FDA-recognised voluntary consensus standards medical devices manufacturers may use in order to demonstrate compliance with the applicable regulatory requirements. The information provided in the guidance is closely related to the recommendations contained in the guidance for the content of premarket submissions for software contained in medical devices. The regulatory approach described therein could also be applied in the context of medical devices incorporating OTS Software. 

The recommendations provided in the present FDA guidance employ a safety-based approach to risk management and are aligned with the commonly accepted best practices. According to these standards, the risks associated with the medical devices in general and OTS Software, in particular, should be evaluated with regard to the following factors:

  • The severity of harm a product in question could potentially cause, and
  • The probability of occurrence of harm. 

The evaluation of probabilities should be based on the engineering consideration (software failure rates), as well as on the clinical data available. The Agency acknowledges that due to the specific nature of software failures, it is quite difficult to evaluate probabilities associated with sufficient accuracy. Thus, the authority recommends focusing mostly on the harm that could be caused to patients or operators as a result of such software failure. The concept of “Hazard Analysis” described in the document stands for the identification of hazards and their initiating causes. It is stated that hazard analysis constitutes a part of risk analysis. In most cases, the terms “risk” and “hazard” could be used interchangeably. However, the Agency recommends using the term “hazard” each time the risk associated with the medical device is evaluated with regard to the harm that could be potentially caused by a failure rather than a probability of the failure itself. 

The guidance provides the definitions of the most important terms and concepts used in the context of OTS Software used in medical devices. The terms described in the guidance include the following: 

  • Hazard Mitigation – reduction in the severity of the hazard, the likelihood of the occurrence, or both. 
  • Off-the-Shelf Software (OTS Software) a generally available software component, used by a medical device manufacturer for which the manufacturer cannot claim complete software life cycle control. 
  • Risk Control – the process through which decisions are reached and implemented for reducing risks to, or maintaining risks within, specified limits. 

Decision Making Process 

In order to assist medical device manufacturers in applying a risk-based approach in the context of OTS Software, the present FDA guidance outlines the suggested decision-making process to be followed when determining the particular scope of documentation to be provided as part of a premarket submission. 

The process includes the following steps:

  1. Determining whether the medical device in question incorporates OTS Software. If yes, basic documentation should be provided by default. 
  2. Conducting Device & OTS Software Hazard Analysis in order to determine a Level of Concern. If the Level of Concern is Minor, no additional steps needed, otherwise Hazard Mitigation would be required. Additionally, it will be necessary to describe and justify the residual risk. 
  3. Evaluation of a Level of Concern associated with the OTS Software in question after the appropriate hazard mitigation has been performed. If the Major Level of Concern still applies, OTS Software Special Documentation should be provided. 

The document also contains a table summarizing the information described hereabove. 


OTS Software Use

The guidance further describes in detail the scope of information to be covered by the documentation associated with OTS Software. 

1. Basic documentation for OTS Software shall describe the software itself and also provide information about its manufacturer, version, and design limitations. This section should also cover computer system specifications for the OTS Software, controls implemented in order to ensure the software will be used in an appropriate way, the functions the software performs, the way it operates, and also the way the control of the OTS Software would be performed (e.g., ensuring the proper installation or maintenance). 

2. OTS Software Hazard Analysis. According to the guidance, the medical device manufacturer shall conduct an OTS Software hazard analysis as a part of a medical device (system) hazard analysis. The Agency recommends providing a list of all potential hazards identified, the estimated severity of each identified hazard, and a list of all potential causes of each identified hazard. 

3. OTS Software Hazard Mitigation. This section describes the activities carried out in order to reduce the severity of the hazard, the likelihood of the occurrence, both. In general, all such measures could be divided into three main categories: design (or redesign), protective measures (passive measures), and warning the user (labeling). 

In summary, the present FDA guidance describes the most important aspects to be considered in the context of OTS Software. The document outlines the scope of information to be provided by the medical device manufacturer and prescribes the way such scope should be determined depending on the risks associated with the product in question. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​