Post

Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions

This guidance provides recommendations for documentation required in premarket submissions for medical devices using Off-The-Shelf (OTS) software. OTS software is defined as a generally available software component used by a medical device manufacturer for which they cannot claim complete software life cycle control (e.g., operating systems, printer/display libraries).

  1. Determine the Documentation Level (Basic or Enhanced) based on device risk assessment
  2. Prepare comprehensive OTS software description including features, specifications and interfaces
  3. Conduct and document risk assessment for OTS software components
  4. Develop and execute verification and validation test plans
  5. Establish configuration management and version control procedures
  6. Create appropriate labeling including warnings and requirements
  7. Implement cybersecurity measures for data protection
  8. Document development methodology assurance (Enhanced level only)
  9. Establish maintenance and support procedures
  10. Prepare obsolescence management strategy
  11. Include all required documentation in premarket submission based on Documentation Level

Key Considerations

Non-clinical testing

  • Test plans and results must be provided as part of verification and validation activities for the OTS software
  • Testing should include activities performed by both OTS software developer and device manufacturer
  • Testing must be appropriate for the hazards associated with the OTS software
  • Current list of OTS software defects must be provided

Human Factors

  • Education and training requirements for users must be specified
  • Human factors conditions introduced by new OTS software components must be evaluated

Software

  • Complete description of OTS software features and functions must be provided
  • Computer system specifications must be detailed (hardware and software requirements)
  • Links with other software must be fully defined
  • Configuration management and version control procedures must be implemented
  • Installation and maintenance procedures must be documented
  • Risk assessment demonstrating appropriate risk mitigation must be provided

Cybersecurity

  • Data integrity measures must be implemented including error checking and correction
  • User authorization and authentication must be implemented for sensitive data access
  • Network security considerations must be addressed for networked devices

Labelling

  • User manual must specify supported OTS software versions
  • Warnings about using non-specified software must be included
  • Minimum hardware platform requirements must be documented
  • Installation verification procedures must be described

Safety

  • Safety impact assessment must be performed when introducing new/modified OTS software
  • Hazards must be documented in Risk Management File
  • Traceability between hazards, requirements and test reports must be provided

Other considerations

  • ISO 13485: Medical devices - Quality management systems for regulatory purposes
  • IEC 62304: Medical device software - Software life cycle processes

Original guidance

  • Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
  • HTML / PDF
  • Issue date: 2023-08-11
  • Last changed date: 2023-08-11
  • Status: FINAL
  • Official FDA topics: Medical Devices, Digital Health, Premarket
  • ReguVirta summary file ID: d7665abeebdc0ea0a670b7b879b81070
This post is licensed under CC BY 4.0 by the author.