Warning Letter – Inadequate software validation

March 2, 2020

Excerpts from a warning letter of interest to software professionals:

1.b. Validation of device software is inadequate and is incomplete. Specifically, your firm did not conduct or document the results of software requirement specification and software design specification in your software verification and validation report for your Class II Swaive Thermometer. The verification and validation report did not document the results of the following requirements:

i. Display temperature data and warning when low voltage alarm exhibits, object’s temperature over range, ambient temperature over range
ii. Execution of mathematics operation
iii. Display information on 3×12 LCD display with 4 decimal digits and 5 icons
iv. Display “LO BAT” when the battery voltage is below 2.4V
v. Display “AH” when the ambient temperature is higher than 40ºC and “AL” when the ambient temperature is lower than 10ºC.
vi. Display “_ _ _E” when the object’s temperature is higher than 42.2ºC

The response dated November 13, 2019 is not adequate. Per your firm’s software verification and validation report, section 7 includes a table of design requirements, design specifications, verification and validation test requirements; and section 10 includes a table of the measurement test report with the test description, criteria, test results (°C) and remarks (P/F). The design requirements in section 7 state an object can be measured from (b)(4) at an environment from (b)(4). The verification and validation test requirements in section 7 state “Measure blackbody temperatures in different ambient temperatures. These states should include the extreme conditions:” blackbody: (b)(4) at ambient temperatures (b)(4) and (b)(4) and black body (b)(4) at ambient temperatures (b)(4) and (b)(4). This test is to ensure the software executes mathematical operations correctly under extreme conditions and normal conditions and the mitigates the hazard of displaying error temperature data due to incorrect mathematical protocol. These specifications are confusing as the design requirement for the ambient temperature should be (b)(4), but the verification requirements for ambient temperature are (b)(4).

In your response, you note that your firm did not document the results of software verification for the software design requirements and specifications. On November 5, 2019 your firm conducted a software verification and provided the results in document CAPA2. The report does not address all design requirements such as the testing at extreme temperatures, nor does it provide the measured temperatures throughout testing to determine if the design specification was met.

c. Your firm’s Risk Management Report, Version (b)(4), dated January 05, 2019, for Swaive Thermometer is inadequate and is incomplete, in that it did not identify all potential failure modes/ risk mitigations for:

– Storage or operation outside prescribed environmental conditions
– Incorrect measurements
– Sharp edges
– Inadequate packaging
– Issues with embedded software

These were not considered for possible hazards and contributing factors associated with the device risks; however, they were identified in the firm’s test reports and software verification report as potential failures modes.

 

See the complete Warning Letter at this link.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: TBD

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.