The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has published a guidance document dedicated to the main principles of software validation. The document is intended to assist medical device manufacturers (software developers) in achieving and sustaining compliance with the applicable regulatory requirements. It is important to mention that FDA guidance documents are non-binding; moreover, an alternative approach could be applied, provided such an approach is in line with existing legislation and has been agreed with the authority in advance. The present article addresses the matters related to activities and tasks to be performed in the context of software validation. According to the document, software validation is accomplished through a series of activities and tasks that are planned and executed at various stages of the software development life cycle; these tasks may be one time occurrences or may be iterated many times, depending on the life cycle model used and the scope of changes made as the software project progresses.
Table of Contents
Software Life Cycle Activities
First of all, the guidance highlights the activities to be undertaken in the course of a life cycle of a software product. However, the Agency states that there is no software life cycle model to be used for all the cases. As further described by the FDA, the approach to be applied should be determined on a case-by-case basis depending on the specific features of the particular software product in question. The model employed by software development should cover all the stages of the product’s life cycle. According to the document, a basic model should cover, inter alia, the following aspects:
- Quality Planning,
- System Requirements Definition,
- Detailed Software Requirements Specification,
- Software Design Specification,
- Construction or Coding,
- Testing,
- Installation,
- Operation and Support,
- Maintenance,
- Retirement.
The activities listed hereinabove are the main ones and cover additional tasks undertaken in the course of software validation. Some of the approaches are also described in detail in respective guidance documents issued by the FDA.
Typical Tasks Supporting Validation
As it was mentioned before, the process of software validation covers several tasks to be performed. At the same time, the particular tasks to be undertaken would depend on the software in question and its specific features, especially the risks associated thereto. For instance, the Agency mentions that the scope of actions to be taken about low-risk software products will not cover some tasks that are mandatory for high-risk products. Anyway, the medical device manufacturer (software developer) should consider all the tasks and indicate the ones that should and shouldn’t be applied for the particular product. The authority mentions that the approach described in the guidance is provided only as an example, and should not be treated as a way of action.
The guidance further describes in detail the basic activities listed hereinabove, namely:
- Quality Planning. According to the guidance, design and development planning should culminate in a plan that identifies necessary tasks, procedures for anomaly reporting and resolution, necessary resources, and management review requirements, including formal design reviews. In this regard, the software developer should indicate the particular model employed, as well as the activities to be undertaken at each stage. As described in the guidance, a plan to be developed by the medical device manufacturer should cover, inter alia, the aspects related to specific tasks, key quality factors to be considered, applicable procedures, acceptance criteria to be applied to evaluate the results, as well as inputs, outputs and resources needed. To complete each task, special staff and resources should be allocated, and this should be also reflected in the respective plan. Additional aspects to be considered in this regard also include the matters related to traceability and identification, including version control. It is also important to mention that the medical device manufacturer (software developer) as an entity responsible for a product should duly develop and implement the appropriate reporting procedures. In this regard, it is necessary to decide on the form of the reports and their content. The Agency states that this kind of activity usually covers such aspects as Risk (Hazard) Management Plan, Configuration Management Plan, Software Quality Assurance Plan (including Software Verification and Validation Plan, Formal Design Review Requirements, and Other Technical Review Requirements), Problem Reporting and Resolution Procedures, and Other Support Activities.
- Requirements. When developing the requirements, the manufacturer shall collect all information about the device and its intended use. Additional attention should be paid to the way the software should operate and interact with the hardware components. The authority additionally emphasizes the importance of all the aspects related to the potential risks associated with the use of the device and hazards arising thereof. As it is mentioned in the guidance, the intended use of the software should be clearly outlined in the requirements, together with a detailed description of its functions, as this will be later needed to complete software validation. According to the guidance, requirements should cover such aspects as software inputs, outputs, its functions, applicable performance requirements, the way it will interact with other elements, the environment it is intended to be used in, as well as other important aspects related to safety. The latter should be based on a technical risk management process. As described by the FDA, software requirement specifications should identify the potential hazards that can result from a software failure in the system as well as any safety requirements to be implemented in software. In other words, potential software failures should be subject to a rigorous assessment, together with the appropriate measures implemented by the manufacturer to mitigate the risks associated with these failures. In the course of such analysis, the most efficient measures should be determined. Additionally, the manufacturer should duly implement a mechanism allowing to identify and address requirements that are incomplete or conflicting. In this regard, the authority states that the manufacturer should ensure that:
- There are no internal inconsistencies among requirements,
- All of the performance requirements for the system have been spelled out,
- Failure tolerance, safety, and security requirements are complete and correct,
- Allocation of software functions is accurate and complete,
- Software requirements are appropriate for the system hazards, and
- All requirements are expressed in terms that are measurable or objectively verifiable.
In summary, the present FDA guidance highlights the main aspects related to the activities and tasks associated with the software validation. The document emphasizes the most important factors to be taken into consideration by medical device manufacturers to ensure the risks associated with the software and its potential failures are duly identified and mitigated.
Sources:
How Can RegDesk Help?
RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.
