The new article describes in detail the way the appropriate assurance activities should be determined. 

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to computer software assurance in the context of the software intended to be used in the course of manufacturing processes and procedures. The document describes the approach to be applied for the validation of such software to ensure it operates as intended since this could impact the safety, quality, and efficacy of medical devices manufactured. 

It is important to mention that FDA guidance documents are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations, but rather to provide additional clarifications regarding the applicable regulatory requirements, as well as recommendations to be considered by medical device manufacturers and other parties involved to ensure compliance thereto. The authority also mentions that an alternative approach could be applied, provided such an approach is in line with existing legislation and has been agreed with the authority in advance. 


Determining the Appropriate Assurance Activities: Key Points 

The scope of the guidance covers, inter alia, the aspects related to the determination of the appropriate assurance activities to be carried out to validate computer software used in the context of the medical device manufacturing process. According to the guidance, once the manufacturer has determined whether a software feature, function, or operation poses a high process risk (a quality problem that may foreseeably compromise safety), the manufacturer should identify the assurance activities commensurate with the medical device risk or the process risk. As further explained by the FDA, in case the quality-related issue could potentially impact adversely the safety of a medical device manufactured, the level of assurance to be applied should correspond to such medical device risk, while in case the issue in question is not expected to affect the safety of a medical device, the level of assurance should correspond to the appropriate process risk. Under the general rule, the higher the risk associated with the potential failures of the computer software in question, the more rigorous assessment should be undertaken to ensure it operates as intended when used in the course of the medical device manufacturing process. At the same time, relatively less risk (i.e., not high process risk) of compromised safety and/or quality generally entails less collection of objective evidence for the computer software assurance effort. 

According to the guidance, in case the feature or operation in question could potentially result in severe harm caused to a person using the device or patient, it should be considered a high medical device risk, while the opposite situation would not be considered a high device risk respectively. Thus, the risk associated with a potential failure of the computer software in question corresponds to the appropriate medical device risk. 

Should the medical device manufacturer determine that the feature or operation subject to assessment is not expected to impact the safety of a medical device being manufactured, the assessment should cover the risk related to the manufacturing process itself since in this case, a new medical device risk would not appear.

Types of Assurance Activities

As further explained by the FDA, the types of assurance activities medical device manufacturers may carry out include, inter alia, the following ones: 

  • Unscripted testing – dynamic testing in which the tester’s actions are not prescribed by written instructions in a test case. It includes ad-hoc testing, error-guessing, and exploratory testing. 
  • Scripted testing – dynamic testing in which the tester’s actions are prescribed by written instructions in a test case. Scripted testing includes both robust and limited scripted testing. 

The guidance also describes in detail each of the abovementioned testing types. According to the guidance, ad-hoc testing stands for a concept derived from unscripted practice that focuses primarily on performing testing that does not rely on large amounts of documentation (e.g., test procedures) to execute. Another type of testing, error-guessing, is based on the knowledge and experience of a person who conducts such testing to potential failures. Exploratory testing is also based on the experience of a person conducting testing since in this case, such a person conducts tests based on his/her knowledge of medical devices, the way they operate, and potential risks associated thereto. According to the guidance, exploratory testing looks for hidden properties, including hidden, unanticipated user behaviors, or accidental use situations that could interfere with other software properties being tested and could pose a risk of software failure. The document also explains the scripted testing types. For instance, in the case of robust scripted testing, the risk of the computer system of automation includes evidence of repeatability, traceability to requirements, and audibility. At the same time, limited scripted testing constitutes a hybrid approach that combines the features of both scripted and unscripted testing corresponding to the risks associated with the software – in such a case, scripted testing is applied to functions associated with high-risk, while the unscripted testing covers the aspects related to low- and medium-risk features. 

In summary, the present FDA guidance provides an overview of assurance activities to be undertaken for computer software intended to be used in the course of the medical device manufacturing process. The document highlights the key points and criteria to be taken into consideration when determining the particular activities to be undertaken depending on the risks associated with the features, functions, or operations in question, and also on the way the software is subject to review and its failures could impact the overall safety of a medical device.


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.