The Food and Drug Administration (FDA or the Agency), the US regulating authority in the sphere of medical devices, has published a guidance document dedicated to software validation.

The document describes the general principles to be applied and also provides clarifications regarding certain specific aspects. It is important to mention that due to their legal nature, FDA guidance documents do not introduce new rules or requirements but provide additional recommendations to be considered by medical device manufacturers and other parties involved to achieve and sustain compliance with the applicable regulatory requirements. The latest version of the document was issued by the FDA in January 2002.

Scope and Regulatory Background 

The present FDA guidance is intended to provide additional information regarding the provisions of the medical device Quality System regulation and how it should be applied with regard to software. It also describes how the authority will assess and evaluate a software validation system. At the same time, the Agency mentions that the actual scope of the guidance slightly exceeds the validation itself. The aspects covered by the document also include planning, verification, testing, traceability, configuration management, etc. The document provides clarifications and recommendations regarding the software life cycle management and risk management activities. The Agency states that the particular approach to be applied should depend on the intended use of the software, as well as the risks associated thereto. According to the document, software validation and verification should take place within the whole lifecycle of a product. 

It is also important to mention that if the software in question is developed by a third party, which is not the same as the manufacturer of a medical device (off-the-shelf software), the developer of the software itself is not responsible for ensuring compliance with the applicable regulatory requirements. The software developer should still take all necessary measures to ensure the safety and effectiveness of the software, but the medical device manufacturer using the software in its products will be the one responsible for ensuring the software has been duly validated and meets any and all requirements set forth under the applicable regulations. 

The recommendations provided in the guidance should be applied in case of:

  • Software used as a component, part, or accessory of a medical device;
  • Software that is itself a medical device (e.g., blood establishment software);
  • Software used in the production of a device (e.g., programmable logic controllers in manufacturing equipment); and
  • Software used in the implementation of the device manufacturer`s quality system (e.g., software that records and maintains the device history record). 

The authority also mentions that due to the fact that the approach described in the guidance is based on generally recognized principles, it could be used in the case of almost any software. The approach described herein should be applied for validation of the software related to medical devices. However, the document does not provide any recommendations with regard to determining whether the particular software in question is subject to regulation under the existing framework, or not. 

The recommendations provided in the guidance should be taken into consideration by persons responsible for software design and development or the development of automated tools intended to be used for software development, as well as by those subject to the medical device QS regulations. Additionally, the recommendations provided therein should also be considered by the respective FDA staff engaged in the assessment and evaluation of software used for medical devices. 

Regulatory Requirements for Software Validation 

According to the information available to the FDA, a significant percentage of medical device recalls are based on software failures. Moreover, most of these failures are caused by modifications made to the software after it has already passed an initial assessment. Thus, it is vitally important to take the measures necessary to reduce the number of software failures and recalls associated thereto. 

The software validation itself constitutes one of the requirements set forth under the Quality System regulation, which entered into force in June 1997. These requirements should be applied with regard to: 

  • Software used as components in medical devices, 
  • Software that is itself a medical device, and 
  • Software used in the production of the device or in implementation of the device manufacturer`s quality system. 

Under the general rule, any and all software products related to medical devices are subject to design control provisions (except certain cases when they are explicitly exempted). This approach should be applied for both initial software development and when making changes to existing software. As mentioned, software used to automate the development process should also be subject to validation, together with the computer systems used. In the case of computer systems, the scope of validation should cover such aspects as accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 

In the case of the software provided by third-party developers, it is necessary to have in place all specifications describing the requirements the software should meet in order to fit the intended purpose. Additionally, such software should be subject to special testing and validation to ensure its compliance with the pre-defined requirements. The medical device manufacturer, as the party responsible for the final product, should have all the evidence in place. The Agency acknowledges the increasing use of off-the-shelf software and emphasizes the importance of ensuring the software will operate as intended. 

Quality System Regulation and Pre-Market Submissions 

The scope of the present document covers the aspects related to the Quality System in the context of software validation. In particular, it describes how the software validation process should be organized and managed. The Agency mentions that medical device manufacturers are allowed to use the records generated in the course of validation for other regulatory purposes – for instance, to support pre-market submissions. However, the authority mentions that the particular requirements to be applied in each case could be different. Thus, medical device manufacturers should pay special attention to the aspects related to the information a pre-market submission shall include. For this purpose, they should refer to the appropriate guidance documents issued by the FDA.  

In summary, the present FDA guidance highlights the most important aspects related to the validation of software intended to be used with medical devices. The scope of the document also addresses specific matters related to the use of off-the-shelf software – the products created by another developer, which is not the same as the medical device manufacturer. 


How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple. ​