The new article describes in detail the aspects related to establishing the appropriate record for the assurance of the software used in the course of manufacturing activities. 

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the computer software used for the medical device production process. The document describes the approach to be applied when validating the proper operations of such software to ensure the safety and quality of medical devices being manufactured. 

Under the general rules, FDA guidance documents are non-binding in their legal nature, nor are intended to introduce new rules or impose new obligations, but rather to provide medical device manufacturers and other parties involved with additional clarifications regarding the applicable regulatory requirements, as well as recommendations to be followed to ensure compliance thereto. The authority also mentions that an alternative approach could be applied, provided such an approach is in line with existing legislation and has been agreed with the authority in advance. 


Establishing the Appropriate Record: Key Points 

As explained by the FDA, in terms of record-keeping requirements, medical device manufacturers are obliged to address the matters related to the activities undertaken to validate the proper performance of production software when used for its intended purpose. According to the guidance, such records should include, inter alia, the following:

  • The intended use of the software feature, function, or operation;
  • The determination of the risk of the software feature, function, or operation;
  • Documentation of the assurance activities conducted, including:
    • Description of the testing conducted based on the assurance activity; 
    • Issues found (e.g., deviations, failures) and the disposition; 
    • Conclusion statement declaring acceptability of the results;
    • The date of testing/assessment and the name of the person who conducted the testing/assessment;
    • Established review and approval when appropriate (e.g., when necessary, a signature and date of an individual with signatory authority). 

The authority additionally emphasizes that it will be sufficient to document only the evidence demonstrating that the software in question operates as intended. However, medical device manufacturers are encouraged to collect and document additional information regarding the assurance activities in case such information could be useful for future development and improvement of assurance activities. 

The guidance further provides a table outlining the approaches to be applied for various types of computer software assurance activities, together with the examples intended to illustrate the said approaches and specific aspects associated thereto. For instance, one of the examples describes a situation when the manufacturer has developed and implemented a special process intended to ensure that medical devices that do not comply with the applicable safety and performance requirements will not be supplied. In this situation, a separate spreadsheet is used to collect the necessary information about the controls and activities undertaken. In case the said spreadsheet fails to perform properly, the records to be created should cover the following aspects:

  • Intended Use: Since the spreadsheet is used to collect and manage data on compliance-related matters, it should be considered a part of the production or quality system, so the approach to be applied for it should be different in comparison to the approach for similar software used for general business purposes (e.g., accounting). 
  • Risk-Based Analysis: in the situation described, failure of the software to perform as intended would not adversely affect the safety of medical devices due to the way it is used. 
  • Description of the component tested;
  • Description of testing conducted;
  • Description of the testing goal, objectives, and activities, e.g.:
  • Create new analysis – Passed,
  • Read data from the required source – Passed,
  • Update data in the analysis – Failed due to input error, then passed,
  • Delete data – Passed,
  • Verify through observation that all calculated fields correctly update with changes – Passed with noted deviation. 
  • Details about the deviations identified;
  • Conclusions confirm that apart from the deviations, no other issues are identified. 
  • Information about the date and responsible person.

Additional Aspects 

The authority acknowledges that novel technologies make it possible for medical device manufacturers to use automation tools when documenting validation and assurance while reducing the need for manual processes and paper-based documentation. The use of electronic records is also in line with the least burdensome approach introduced by the authority to reduce the unneeded regulatory burden medical device manufacturers may face. According to the guidance, manufacturers may use electronic records when it takes to system logs or other data the software generates instead of screenshots accompanied by paper documentation. The FDA also mentions that some of the industry representatives have already raised concerns regarding the use of paperless methods for record-keeping. In this respect, the authority refers to a separate guidance document dedicated to electronic records and signatures. According to the guidance, the concept of an “electronic record” covers all the documents created and maintained in electronic form. 

In summary, the present guidance describes in detail the approach to be applied by medical device manufacturers to ensure and sustain the proper operations of computer software used in the context of manufacturing processes. The authority explains that the level of regulatory scrutiny such software should be subject to depends on the intended purpose of the software in question and the way its failure could potentially impact the safety and quality of products manufactured, i.e., the risks associated thereto. Thus, the guidance provides a differentiated approach to be applied by medical device manufacturers based on the criteria and factors outlined therein when determining the regulatory status of the computer software subject to review and the regulatory requirements such software should comply with. 



How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.