Computer Software Assurance for Production and Quality System Software (DRAFT)
This guidance provides recommendations on computer software assurance for computers and automated data processing systems used as part of medical device production or the quality system. It focuses on establishing confidence in automation through a risk-based approach and describes various methods and testing activities to fulfill regulatory requirements.
This is a draft guidance. Not for implementation.
Recommended Actions
- Establish a process to determine software intended use and categorization (direct vs supporting)
- Implement risk assessment methodology to identify high process risk vs not high process risk software features
- Define appropriate validation activities based on risk level
- Create documentation templates aligned with risk-based approach
- Review and update supplier assessment process for software vendors
- Establish procedures for maintaining software in validated state
- Train relevant personnel on risk-based computer software assurance approach
- Review existing software validation documentation against new guidance requirements
- Implement electronic record keeping system compliant with Part 11 requirements where applicable
- Create process for periodic review of software validation status
Key Considerations
Non-clinical testing
- Testing activities should be commensurate with the risk level (high process risk vs not high process risk)
- Different testing approaches can be used: scripted testing (robust or limited) and unscripted testing (ad-hoc, error-guessing, exploratory)
- Testing documentation should be proportional to risk level
Software
- Software must be validated for its intended use if used in production or quality system
- Two categories of software: directly used in production/quality system vs supporting software
- Risk-based approach required to determine validation effort
- Continuous monitoring and maintenance of validated state throughout software lifecycle
- Leveraging of vendor validation work is acceptable for lower risk software
Cybersecurity
- Electronic signature requirements must comply with 21 CFR Part 11 when applicable
- System security considerations for data integrity and transfer
Safety
- High process risk determination when software failure may result in quality problems that foreseeably compromise safety
- Additional validation efforts required for high-risk features
Other considerations
- Documentation requirements should be risk-based and include intended use, risk determination, testing activities, results, and conclusions
- Electronic records can be used instead of paper documentation
- Supplier assessment and purchasing controls should be established
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Electronic Records and Electronic Signatures - Scope and Application
Related references and norms
- IEC/IEEE/ISO 29119-1: Software and systems engineering – Software testing - Part 1: Concepts and definitions
Original guidance
- Computer Software Assurance for Production and Quality System Software
- HTML / PDF
- Issue date: 2022-09-13
- Last changed date: 2022-09-12
- Status: DRAFT
- Official FDA topics: Medical Devices, Digital Health, Current Good Manufacturing Practice (CGMP), Postmarket
- ReguVirta summary file ID: 25cf5659691ac99db1678774ffd25379
This post is licensed under CC BY 4.0 by the author.