Warning Letter – Software Validation Shortcomings

December 26, 2019

Excerpts from warning letter of interest to software professionals:

“The inspection also revealed that your … LED light therapy devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System regulation found at 21 CFR Part 820.”

2. Procedures for design control have not been established and maintained per the requirements of 21 CFR 820.30, to include a complete risk analysis.

“During our inspection, the Design Control Procedure, … and the Design Change Control Procedure, … were provided. These draft procedures were dated the day our inspection began and had not been reviewed or approved as required by your Document and Data Control Procedure, … . The Design Control Procedure states that devices developed before the Procedure became effective may follow a retrospective approach for documenting design; however, the documents provided did not document any such retrospective approach.

In general, many design documents reviewed during the inspection were not approved, were not complete, and did not follow an established procedure. For example, a Design Plan, … was provided, but it is undated and has no signatures demonstrating the document is approved as required by your Document and Data Control Procedure. In addition, two design checklists were provided dated … . The checklists refer to a “Product Brief” that could not be provided upon request. The checklists were not signed and did not demonstrate approval (i.e., all places for “sign off” were left blank). Design reviews, verification and validation, and design changes should follow an approved procedure and be governed by document controls that demonstrate appropriate review, approval, and control.”

Now for the software stuff:

“The Software Validation Procedure, was dated xxx, (issued the day before our preannounced inspection began) was also provided during the inspection.  All documents related to software validation should be aligned per the requirements of your design procedures and this Software Validation Procedure. We recommend that you review your procedures against 21 CFR 820.30 to ensure all requirements are met because the software validation documents provided during the inspection do not appear to have been governed by a procedure at the time of performance. In addition, the Software Validation Report dated x/x/xxxx references a (b)(4) minute default setting for the run time of “The Vevazz” yet the treatment time is listed in the “Vevazz” User Manual as 7 minutes. The test plan referred to within this report was requested, but could not be provided. Per the two different treatment times indicated in clearances, the device and related software should be validated to demonstrate consistent performance for either treatment time based on the indication(s) for use.

Your firm’s Software Validation and Risk Mitigation Procedures reference risk assessment. The Software Level of Concern document provided to address risk analysis lists mitigations to defined risks such as visual inspection, however no documentation of visual inspection or other mitigating steps could be provided during the inspection. Without adequate records documenting performance of risk mitigation steps, there is no assurance that the risks identified with the device have been adequately controlled/mitigated to reduce the hazards to the user as required per your Hazard Analysis document, rev 0, no release date.

Your response indicates you will implement the “design control procedures” by x/x/xxxx, and compile the Design History File (DHF) by x/x/xxxx. We cannot evaluate the adequacy of your firm’s response and proposed actions at this time as you have not provided objective evidence of corrections.

See the complete Warning Letter at this link:  https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/vevazz-llc-592118-12262019

About the author

Brian is a biomedical software engineer - whatever that is! Started writing machine code for the Intel 8080 in 1983. Still enjoys designing and developing code. But probably enjoys his garden more now and watching plants grow ... and grandkids grow!

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now



Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: Tuesday, January 23 through Friday, January 26 from at 11 am – 3 pm EST

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.