The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of healthcare products, has published a guidance document dedicated to the principles of software validation. The scope of the document covers, inter alia, the aspects related to the validation of automated process equipment and quality system software. The document is intended to provide medical device manufacturers (software developers) with additional clarifications regarding the existing regulatory framework, as well as recommendations to be considered to ensure compliance with the applicable regulatory requirements.


First of all, the FDA states that according to the Quality System regulation, when computers or automated data processing systems are used as part of production or the quality system, the [device] manufacturer shall validate computer software for its intended use according to an established protocol. Apart from this, such equipment is subject to the Electronic Records; Electronic Signatures regulation, if it is used to create or maintain records related to the regulatory requirements in the sphere of healthcare products. 

The authority acknowledges that nowadays computer equipment is widely used at all the steps of the medical device manufacturing process including medical device design, laboratory testing and analysis, product inspection and acceptance, production and process control, environmental controls, packaging, labeling, traceability, document control, complaint management, and many other aspects of the quality system. Hence, computer systems are actively used for numerous operations performed at the manufacturing site. The scope of software products used in the course of the medical device manufacturing process is quite wide. According to the guidance, these products should be duly validated, while the particular requirements and the approach to be applied would be different. 

Should the software product be developed by the manufacturer itself, it should be created in compliance with the main principles outlined in the present guidance. The authority mentions that the manufacturer has certain flexibility concerning the software validation, and also emphasizes that the aspects related to software validation should be taken into consideration when developing or purchasing the software. According to the document, validation is typically supported by:

  • Verifications of the outputs from each stage of that software development life cycle; and 
  • Checking for proper operation of the finished software in the device manufacturer’s intended use environment. 

Validation Scope 

To assist medical device manufacturers (software developers) in ensuring compliance with the applicable requirements, the Agency highlights the key points to be taken into consideration concerning software validation. In particular, the FDA describes the approach to be applied when determining the level of validation efforts needed. According to the guidance, the approach to be applied should depend on the risk associated with the automated operation, as well as other risk-related factors, including the overall complexity of the product in question or the extent to which it impacts the manufacturing process in terms of ensuring the safety and effectiveness of the products. Considering the factors outlined hereinabove would allow the responsible party to determine the scope of evidence needed. For instance, should the output of the operation be subject to additional verification, the testing required for the equipment that performs this operation would be quite limited? At the same time, according to the guidance, additional testing could be required for:

  • A plant-wide electronic record and electronic signature system;
  • An automated controller for a sterilization cycle; or
  • Automated test equipment used for inspection and acceptance of finished circuit boards in a life-sustaining / life-supporting device. 

In the course of the manufacturing process, the medical device manufacturer may use various software products. The scope of validation evidence needed for these products should be determined depending on their intended use and the way they impact the manufacturing process. In particular, it is important to evaluate the extent to which the software in question could potentially impact the safety and effectiveness of a medical device manufactured. The authority also mentions that in case only some of the software functions are used by the medical device manufacturer, it is allowed to limit the scope of validation to these particular functions. At the same time, in the case of high-risk products, the scope of validation should cover any functions they have, even if some of them are not used, as these products could be used together with the low-risk software products in the same environment. Should the software developer introduce any changes to the product, the medical device manufacturer using this software for its internal purposes should analyze the risks associated with such changes and conduct additional validation of functions impacted by the changes, if necessary. 

Defined User Requirements 

The FDA additionally emphasizes the importance of a documented user requirements specification. According to the guidance, this document defines:

  • The intended use of the software or automated equipment; and 
  • The extent to which the device manufacturer is dependent upon that software or equipment for the production of a quality medical device. 

The manufacturer which will use the software should outline the operating environment in which the product is intended to be used, as well as any applicable requirements in terms of hardware and software configurations. Additionally, the manufacturer shall:

  • Document requirements for system performance, quality, error handling, startup, shutdown, security, etc.;
  • Identify any safety-related functions or features, such as sensors, alarms, interlocks, logical processing steps, or command sequences; and 
  • Define objective criteria for determining acceptable performance. 

The authority additionally emphasizes that the software validation activities should be undertaken under the respective protocol, and their results should be duly documented. In particular, it is necessary to document test cases covering such aspects as error and alarm conditions, startup, shutdown, all applicable user functions and operator controls, potential operator errors, maximum and minimum ranges of allowed values, and stress conditions applicable to the intended use of the equipment. As it was mentioned before, test results should be duly documented.

According to the guidance, validation could be undertaken either by the manufacturer’s staff or by a third party engaged by the manufacturer. Irrespectively of the particular way validation is performed, the manufacturer remains solely responsible for ensuring that the validation process is completed, and the product will operate as intended. 

The FDA mentions that the medical device manufacturer should have documentation in place including:

  • Defined user requirements; 
  • Validation protocol used;
  • Acceptance criteria;
  • Test cases and results; and 
  • A validation summary. 

The above mentioned documents should confirm that the product in question has been duly validated. 

In summary, the present FDA guidance highlights the most important aspects related to the scope of validation activities and the way it should be determined. The document also describes the applicable requirements regarding the documentation and records to be duly maintained by the medical device manufacturer. 



How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.