FDA finalizes device production and quality system software guidance
The US Food and Drug Administration’s (FDA) final guidance on software assurance in computer and data processing systems for medical device production includes more examples and a new section clarifying terms used in the guidance. However, the agency did not implement stakeholder suggestions to align it more closely with similar guidances or address some of the concerns regarding the validation of certain kinds of software or tools.FDA said the guidance is intended help agency staff and sponsors use a “risk-based approach to establish confidence in the automation used for production or quality systems, identify where additional rigor may be appropriate” as well as approaches to gauge computer software assurance for medical devices subject to quality system regulation under 21 CFR Part 820. It replaces section 6 of the “General Principles of Software Validation” final guidance published in January 2002. (RELATED: FDA drafts guidance on device production and quality system software assurance, Regulatory Focus 12 September 2022)
Comments in response to the draft guidance were in favor of the agency’s risk-based approach for production and quality system computer software assurance, but stakeholders asked FDA to consider more closely adhering the final guidance to definitions of quality risk management and principles described in the ICH Q9 (Revision) guidance. According to some commenters, a discussion on cybersecurity was also missing from the draft guidance. (RELATED: ICH releases revised Q9 guideline to improve risk assessments, Regulatory Focus 3 January 2022)
Stakeholders asked FDA to change the guidance title out of concern that it may contradict definitions of a computerized system under current PIC/S guidance, and questioned the place of system lifecycle tools in the guidance that are not present in similar international guidance documents. (RELATED: Industry seeks clarity, ICH Q9 alignment in FDA’s device production software guidance, Regulatory Focus 14 November 2022)
FDA said it made several changes to the final guidance based on submitted comments. The agency appeared to keep its definitions of computer software assurance and other terms in place while adding a new section with terminology definitions.
FDA provided more examples of manual and automated testing and how the guidance recommendations could be applied to different software types. The agency added software as a service-based product life cycle management system as a fourth example in the appendix.
In their new section on definitions, FDA defined infrastructure as a service, platform as a service, and software as a service as three service models of cloud computing. The agency noted that cloud computing models can be part of the production or quality system and must be validated under 21 CFR 820.70(i).
“FDA recommends manufacturers focus on the intended use of the software when considering cloud computing models, as not all cloud computing models are ‘directly’ used as part of production or the quality system,” the agency explained.
An example of a cloud storage solution considered part of the production or quality system would be an infrastructure-as-a-service solution that stores quality records with applicable quality system obligations. By contrast, an infrastructure-as-a-service solution that stores production and process data to support infrastructure would not qualify as an established quality system record and therefore would not support the production or quality system.
“When storage of data in the cloud is independent of whether or not the data is part of the quality record, it is the manufacturer’s obligation to determine what the appropriate level of risk is for that application,” FDA said. “Manufacturers may consider a least-burdensome approach to assuring the IaaS cloud storage solution is adequate for their business.”
FDA included new examples of unscripted testing, such as scenario testing and experience-based testing, while consolidating their description of scripted testing, choosing to let sponsors decide the software testing methods and principles most relevant to their situation using a risk-based approach. It also explained that a company should employ a risk-based approach when choosing a software vendor, as many companies will have limited information about a vendor during an assessment.
“FDA recognizes that there are software testing methods and approaches, beyond those referenced in the guidance, that manufacturers have the flexibility to consider and utilize, as appropriate,” the agency wrote.
FDA also included a reference to the final guidance on cybersecurity in medical devices, noting that the cybersecurity testing methods outlined in that guidance would be suitable for the assurance activities outlined in the device production and quality system software assurance final guidance.
Other updates to the guidance include new examples for applying the guidance to different software types. For instance, they explained that the computer software assurance risk framework could be applied to automation tools, data analytics tools, artificial intelligence and machine learning tools, and cloud computing in the production or quality system.
Guidance
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.