The new article describes in detail the aspects related to a risk-based approach and the way it should be applied concerning computer software assurance for production and quality system software. 

The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the assurance requirements to be applied for the software used in the course of manufacturing processes and procedures. The document provides additional clarifications regarding the regulatory requirements set forth under the existing legislation, as well as recommendations to be taken into consideration by medical device manufacturers to ensure compliance thereto. At the same time, provisions of the guidance are non-binding, nor are intended to introduce new rules or impose new obligations apart from the ones already existing under the current legal framework. Furthermore, the authority explicitly states that an alternative approach could be applied, provided such an approach is in line with the respective legislation and has been agreed with the authority in advance. 

The scope of the guidance covers, inter alia, the risk-based approach – the document describes the way it should be followed and highlights the key points associated thereto. 


Risk-Based Approach: General Principles 

First of all, the authority states that once a manufacturer has determined that a software feature, function, or operation is intended for use as part of production or the quality system, FDA recommends using a risk-based analysis to determine appropriate assurance activities. As further explained in the document, the said risk-based approach entails systematically identifying reasonably foreseeable software failures, determining whether such a failure poses a high process risk, and systematically selecting and performing assurance activities commensurate with the medical device or process risk, as applicable. 

The authority additionally emphasizes the difference between the risk-based analysis related to the software used in manufacturing activities, which is the subject of the present guidance, and risk analysis related to products (medical devices) themselves.

The risk-based approach provides that attention is to be paid to the factors that could potentially impact the way the software performs when used for its intended purpose – e.g., system configuration and management, data storage, and transfer. Thus, a risk-based analysis for production or quality system software should consider which failures are reasonably foreseeable (as opposed to likely) and the risks resulting from each such failure. The authority also mentions that the scope of the present guidance covers both the risks associated with the manufacturing process and medical devices themselves. As further explained by the FDA, a process risk is the one related to the production or quality system, while a medical device risk is the one that is related to harm that could potentially be caused to a user or patient. However, the medical device risks addressed in the present guidance are the ones deriving from quality-related matters. 

Classification of Processes Based on Risks 

According to the guidance, FDA considers a software feature, function, or operation to pose a high process risk when its failure to perform as intended may result in a quality problem that foreseeably compromises safety, meaning an increased medical device risk. Hence, by virtue of the guidance, the authority highlights the key points related to the risks associated with the manufacturing process and not the ones related to the harm potentially caused to a patient. The authority also provides examples of software features, functions, and operations with a high process risk associated thereto. These examples include, inter alia, the following ones: 

  • Maintaining the proper parameters for the manufacturing process that could impact the final product in terms of its characteristics or quality;
  • Inspecting or determining the acceptability of the device with limited or no additional human awareness;
  • Making corrections to the process parameters using automated feedback without additional human review;
  • Providing directions for use to be considered by the intended users;
  • Automated collection and assessment of the data related to the safety and quality of medical devices. 

At the same time, FDA considers a software feature, function, or operation not to pose a high process risk when its failure to perform as intended would not result in a quality problem that foreseeably compromises safety; this includes situations where failure to perform as intended would not result in a quality problem, as well as situations where failure to perform as intended may result in a quality problem that does not foreseeably lead to compromised safety. The document also provides several examples of functions and features that are considered to be not high process risk, namely: 

  • Collection and recording of data related to the manufacturing process for further analysis and review provided this will not have a direct impact on the underlying process itself; 
  • Automated tracking or logging complaints;
  • Managing data, including its processing, storing, and organizing;
  • Supporting the production or quality system. 

According to the guidance, the risks associated with the manufacturing process could vary from high to low, so medical device manufacturers are responsible for determining the risk of each feature or operation in the context of the intended use of the respective computer software. At the same time, as was mentioned before, the authority is mostly focused on the features and functions considered a high process risk since their failure could adversely impact the quality or characteristics of a medical device resulting in a medical device risk. Hence, the FDA applies a two-option determination: “high process risk” or “not high process risk”, while medical device manufacturers may apply a more detailed classification. 

In summary, the present guidance describes in detail the way the risk-based approach should be applied concerning computer software used in the course of the manufacturing process or relation to quality management. The document explains the key considerations related to such a determination, and also outlines the main factors to be considered. 



How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.