Post

Computer Software Assurance for Production and Quality System Software (DRAFT)

This guidance provides recommendations on computer software assurance for computers and automated data processing systems used as part of medical device production or the quality system. It focuses on establishing confidence in automation through a risk-based approach and describes various methods and testing activities to fulfill regulatory requirements.

This is a draft guidance. Not for implementation.

  1. Establish a process to determine software intended use and categorization (direct vs supporting)
  2. Implement risk assessment methodology to identify high process risk vs not high process risk software features
  3. Define appropriate validation activities based on risk level
  4. Create documentation templates aligned with risk-based approach
  5. Review and update supplier assessment process for software vendors
  6. Establish procedures for maintaining software in validated state
  7. Train relevant personnel on risk-based computer software assurance approach
  8. Review existing software validation documentation against new guidance requirements
  9. Implement electronic record keeping system compliant with Part 11 requirements where applicable
  10. Create process for periodic review of software validation status

Key Considerations

Non-clinical testing

  • Testing activities should be commensurate with the risk level (high process risk vs not high process risk)
  • Different testing approaches can be used: scripted testing (robust or limited) and unscripted testing (ad-hoc, error-guessing, exploratory)
  • Testing documentation should be proportional to risk level

Software

  • Software must be validated for its intended use if used in production or quality system
  • Two categories of software: directly used in production/quality system vs supporting software
  • Risk-based approach required to determine validation effort
  • Continuous monitoring and maintenance of validated state throughout software lifecycle
  • Leveraging of vendor validation work is acceptable for lower risk software

Cybersecurity

  • Electronic signature requirements must comply with 21 CFR Part 11 when applicable
  • System security considerations for data integrity and transfer

Safety

  • High process risk determination when software failure may result in quality problems that foreseeably compromise safety
  • Additional validation efforts required for high-risk features

Other considerations

  • IEC/IEEE/ISO 29119-1: Software and systems engineering – Software testing - Part 1: Concepts and definitions

Original guidance

  • Computer Software Assurance for Production and Quality System Software
  • HTML / PDF
  • Issue date: 2022-09-13
  • Last changed date: 2022-09-12
  • Status: DRAFT
  • Official FDA topics: Medical Devices, Digital Health, Current Good Manufacturing Practice (CGMP), Postmarket
  • ReguVirta summary file ID: 25cf5659691ac99db1678774ffd25379
This post is licensed under CC BY 4.0 by the author.