The Food and Drugs Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has published a guidance document dedicated to the general principles of software validation. The guidance is intended to provide medical device manufacturers and other parties involved with additional clarifications regarding the applicable regulatory requirements, and also with important recommendations to be considered to ensure compliance thereto. However, the provisions of the guidance are non-binding, and thus should not be construed as new rules or requirements. The Agency also mentions that an alternative approach could be applied, provided such an approach complies with existing legislation and has been agreed with the authority in advance. The present article outlines the main principles of software validation and highlights the most important aspects to be taken into consideration by medical device manufacturers and other parties involved in operations with software intended for medical purposes.


First of all, the Agency states that both validation and verification of the software should be based on software requirements specification. 


Defect Prevention 

According to the guidance, the main purpose of software quality assurance is to prevent defects from appearing instead of assessing the quality of the software once it has been created. The authority also mentions that not all the defects the software has could be identified in the course of testing. Moreover, in certain cases, comprehensive testing of the software is complicated or even impossible due to its complexity. In general, the FDA states that software testing is a necessary activity, however, in most cases software testing by itself is not sufficient to establish confidence that the software is fit for its intended use. Thus, the Agency encourages medical device manufacturers (software developers) not to limit their activity to software testing, but to implement a comprehensive approach based on a combination of methods applied. The particular set of methods and approaches should be determined depending on numerous factors, such as the development environment, application, size of project, language, and risk. 


Time and Effort 

To ensure a time- and cost-effective approach, the manufacturer shall consider the aspects related to testing from the very first design and development stages. As explained by the FDA, the activities related to the collection of necessary evidence should be duly carried out during the whole life cycle of the product in question. 


Software Life Cycle 

As it was mentioned before, the activities related to software verification and validation should take place throughout the whole life cycle of the software. In particular, depending on the specific features of the particular software subject to review the manufacturer should decide on methods and approaches to be applied. It is also important to mention that the present FDA guidance does not provide specific recommendations regarding the particular methods to be employed by the medical device manufacturers, but only emphasizes the importance of such methods to be determined and applied. 



Under the general rule, the software validation process takes place strictly by the appropriate plan. The Agency additionally emphasizes the importance of software validation plans for ensuring the efforts are properly focused. According to the guidance, software validation plans specify areas such as scope, approach, resources, schedules, and the types and extent of activities, tasks, and work items. 



It is further explained that the software validation process, in general, is based on specific procedures to be undertaken by the medical device manufacturer. According to the guidance, these procedures should prescribe the particular actions to be performed. 


Software Validation After a Change 

The authority also emphasizes the importance of changes to the software, even the minor ones. In particular, it is stated that sometimes a minor change could have a significant impact on the safety and effectiveness of the product in general. Thus, validation should take place each time the changes are made to the software. According to the guidance, whenever software is changed, a validation analysis should be conducted not just for validation of the individual change, but also to determine the extent and impact of that change on the entire software system. Then the manufacturer should duly carry out testing to ensure the changes will not result in additional risks. 


Validation Coverage 

According to the guidance, validation coverage should be determined depending on the complexity of the software in question, as well as risks associated thereto. The same approach should be applied when deciding on the scope of activities to be carried out in the course of validation. For instance, in the case of low-risk devices, it would be sufficient to undertake basic validation activities. For the devices with higher risk, additional activities should be performed to address such risk. The documents to be created should demonstrate the successful completion of all validation plans. 


Independence of Review 

According to the guidance, to ensure an unbiased and impartial review, the manufacturers are encouraged to employ third-party independent validation and verification, especially in the case of medical devices associated with high risk. Alternatively, there is an option to engage in verification and validation processes for those employees that were not directly involved in operations with the medical device subject to review at previous stages. The FDA also states that the fewer employees the company has, the more difficult it becomes to ensure the independence of review. 


Flexibility and Responsibility 

As explained by the FDA, the particular way the principles outlined herein should be applied depends on the particular software in question. Hence, medical device manufacturers should be flexible enough in implementing these principles, provided that as a result, they can demonstrate that the product subject to review has been duly validated. 

The scope of the present principles applies to software that:

  • Is a component, part, or accessory of a medical device; 
  • Is itself a medical device; or
  • Is used in manufacturing, design, and development, or other parts of the quality system. 

An application could consist of components deriving from different sources, and the type of these components could be different as well. Thus, the scope of methods to be applied should be sufficient to cover all specific aspects associated with the software and its components. 

The authority also mentions that even if software validation activities could be carried out by different entities, the medical device manufacturer should be the one responsible for software validation in general. 

In summary, the present FDA guidance addresses the most important aspects related to the principles of software validation. The document highlights the main points to be taken into consideration by medical device manufacturers depending on the specific features of the software in question. 



How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.