Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
This guidance provides recommendations for documentation required in premarket submissions for medical devices using Off-The-Shelf (OTS) software. OTS software is defined as a generally available software component used by a medical device manufacturer for which they cannot claim complete software life cycle control (e.g., operating systems, printer/display libraries).
Recommended Actions
- Determine the Documentation Level (Basic or Enhanced) based on device risk assessment
- Prepare comprehensive OTS software description including features, specifications and interfaces
- Conduct and document risk assessment for OTS software components
- Develop and execute verification and validation test plans
- Establish configuration management and version control procedures
- Create appropriate labeling including warnings and requirements
- Implement cybersecurity measures for data protection
- Document development methodology assurance (Enhanced level only)
- Establish maintenance and support procedures
- Prepare obsolescence management strategy
- Include all required documentation in premarket submission based on Documentation Level
Key Considerations
Non-clinical testing
- Test plans and results must be provided as part of verification and validation activities for the OTS software
- Testing should include activities performed by both OTS software developer and device manufacturer
- Testing must be appropriate for the hazards associated with the OTS software
- Current list of OTS software defects must be provided
Human Factors
- Education and training requirements for users must be specified
- Human factors conditions introduced by new OTS software components must be evaluated
Software
- Complete description of OTS software features and functions must be provided
- Computer system specifications must be detailed (hardware and software requirements)
- Links with other software must be fully defined
- Configuration management and version control procedures must be implemented
- Installation and maintenance procedures must be documented
- Risk assessment demonstrating appropriate risk mitigation must be provided
Cybersecurity
- Data integrity measures must be implemented including error checking and correction
- User authorization and authentication must be implemented for sensitive data access
- Network security considerations must be addressed for networked devices
Labelling
- User manual must specify supported OTS software versions
- Warnings about using non-specified software must be included
- Minimum hardware platform requirements must be documented
- Installation verification procedures must be described
Safety
- Safety impact assessment must be performed when introducing new/modified OTS software
- Hazards must be documented in Risk Management File
- Traceability between hazards, requirements and test reports must be provided
Other considerations
- Development methodologies assurance required for Enhanced Documentation level devices
- Continued maintenance and support mechanisms must be demonstrated
- Obsolescence management plan should be provided
- Network architecture and performance requirements must be specified for networked devices
Relevant Guidances
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Applying Human Factors Engineering and Usability Engineering to Medical Devices
Related references and norms
- ISO 13485: Medical devices - Quality management systems for regulatory purposes
- IEC 62304: Medical device software - Software life cycle processes
Original guidance
This post is licensed under CC BY 4.0 by the author.