FDA Issues Draft Guidance on Computer Software Assurance for Production and Quality System Software
The U.S. Food and Drug Administration (FDA) issued the new draft guidance: Computer Software Assurance for Production and Quality System Software. Download here: 2022-Guidance-Computer-Software-Assurance
This new FDA draft guidance provides recommendations on risk-based assurance activities for computers and automated data processing systems that are used as part of medical device production or the quality system.
FDA is issuing this draft guidance to provide recommendations on “Computer Software Assurance,” aka, “validate computer software” for computers and automated data processing systems that are regulated under 21 CFR 820.70(i).
The specific regulation reads as follows: 21 CFR 820.70(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.
When final, this new FDA draft guidance will supplement FDA’s guidance, “General Principles of Software Validation” except this guidance will supersede Section 6 (“Validation of Automated Process Equipment and Quality System Software”) of the Software Validation guidance.
This guidance clarifies for the industry that the requirement “validate computer software” in 21 CFR 820.70 is not intended to be the same level of effort as required by the Design Controls requirement 21 CFR 820.30 when the agency says “Design validation shall include software validation and risk analysis, where appropriate.
In the move from “validate computer software” to “Computer Software Assurance” it is interesting to compare the fundamental thoughts:
- In the 2002 Guidance, General Principles of Software Validation; Final Guidance for Industry and FDA Staff (2002-01-General Principles of Software Validation-Final Guidance), we see the question, “HOW MUCH VALIDATION EVIDENCE IS NEEDED?” The level of validation effort should be commensurate with the risk posed by the automated operation. In addition to risk other factors, such as the complexity of the process software and the degree to which the device manufacturer is dependent upon that automated process to produce a safe and effective device, determine the nature and extent of testing needed as part of the validation effort.
- In the 2022 new FDA draft guidance we see the main thought, “COMPUTER SOFTWARE ASSURANCE”
Computer software assurance is a risk-based approach for establishing and maintaining confidence that software is fit for its intended use. This approach considers the risk of compromised safety and/or quality of the device (should the software fail to perform as intended) to determine the level of assurance effort and activities appropriate to establish confidence in the software. Because the computer software assurance effort is risk-based, it follows a least-burdensome approach, where the burden of validation is no more than necessary to address the risk. Such an approach supports the efficient use of resources, in turn promoting product quality.
I see the release of this new FDA draft guidance as great news for device manufacturers. This guidance reflects over six years in the making … I know, because I did a lot of work on this draft in 2017 and 2018 before my retirement from the agency. I am pleased that it still contains many of my initial contributions and thoughts, namely:
- Device software validation is not the same as the software validation of automated production and quality systems
- It encourages an increased use of automation in the medical device sector. If you are not automating, you are not state of the art.
- It encourages the use of more modern software tools and methods. Results should outweigh “all compliance all the time” paradigm
- It encourages the use of OTS and well proven solutions in the medical device sector. You do not need to recreate the wheel
- It reinforces the idea that “critical thinking” is better than “check list” compliance-based thinking. More Case for Quality is better.