New FDA Draft Guidance

New FDA Draft Guidance

FDA Issues Draft Guidance on Computer Software Assurance for Production and Quality System Software

The U.S. Food and Drug Administration (FDA) issued the new draft guidance: Computer Software Assurance for Production and Quality System Software. Download here: 2022-Guidance-Computer-Software-Assurance

This new FDA draft guidance provides recommendations on risk-based assurance activities for computers and automated data processing systems that are used as part of medical device production or the quality system.

FDA is issuing this draft guidance to provide recommendations on “Computer Software Assurance,” aka, “validate computer software” for computers and automated data processing systems that are regulated under 21 CFR 820.70(i).

The specific regulation reads as follows: 21 CFR 820.70(i) Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.

When final, this new FDA draft guidance will supplement FDA’s guidance, “General Principles of Software Validation” except this guidance will supersede Section 6 (“Validation of Automated Process Equipment and Quality System Software”) of the Software Validation guidance.

This guidance clarifies for the industry that the requirement “validate computer software” in 21 CFR 820.70 is not intended to be the same level of effort as required by the Design Controls requirement 21 CFR 820.30 when the agency says “Design validation shall include software validation and risk analysis, where appropriate.

In the move from “validate computer software” to “Computer Software Assurance” it is interesting to compare the fundamental thoughts:

  1. In the 2002 Guidance, General Principles of Software Validation; Final Guidance for Industry and FDA Staff (2002-01-General Principles of Software Validation-Final Guidance), we see the question, “HOW MUCH VALIDATION EVIDENCE IS NEEDED?”

    The level of validation effort should be commensurate with the risk posed by the automated operation. In addition to risk other factors, such as the complexity of the process software and the degree to which the device manufacturer is dependent upon that automated process to produce a safe and effective device, determine the nature and extent of testing needed as part of the validation effort.

  2. In the 2022 new FDA draft guidance we see the main thought, “COMPUTER SOFTWARE ASSURANCE”

    Computer software assurance is a risk-based approach for establishing and maintaining confidence that software is fit for its intended use. This approach considers the risk of compromised safety and/or quality of the device (should the software fail to perform as intended) to determine the level of assurance effort and activities appropriate to establish confidence in the software. Because the computer software assurance effort is risk-based, it follows a least-burdensome approach, where the burden of validation is no more than necessary to address the risk. Such an approach supports the efficient use of resources, in turn promoting product quality.

I see the release of this new FDA draft guidance as great news for device manufacturers.  This guidance reflects over six years in the making … I know, because I did a lot of work on this draft in 2017 and 2018 before my retirement from the agency.  I am pleased that it still contains many of my initial contributions and thoughts, namely:

  • Device software validation is not the same as the software validation of automated production and quality systems
  • It encourages an increased use of automation in the medical device sector. If you are not automating, you are not state of the art.
  • It encourages the use of more modern software tools and methods. Results should outweigh “all compliance all the time” paradigm
  • It encourages the use of OTS and well proven solutions in the medical device sector. You do not need to recreate the wheel
  • It reinforces the idea that “critical thinking” is better than “check list” compliance-based thinking. More Case for Quality is better.
About the author

John is a 25 year FDA veteran. John served as a regulatory and compliance expert for FDA regulated computers and software. Practice (focus) areas include FDA software related guidances, software device classification determination, pre-market software review, post market software inspectional 483’s, additional information software requests, Digital Health Pre-certification, AAMI Software related TIRs and related medical device software standards.

Upcoming SoftwareCPR Training Courses:

Public Course – Oct 18-21, 2022 – Being Agile & Yet Compliant (virtual)

Early Bird Discount Registration through September 30, 2022.  Reserve your spot!

Register here: https://events.eventzilla.net/e/october-2022-softwarecpr-agile-and-compliant-training-course-2138573767

 

Public Course – Jan 9-11, 2023 – Risk Management (in-person)

Our newly updated ISO 14971:2019 Medical Device Risk Management, A Software Organization’s Perspective public training course is now open for registration!

Where:  Tampa, Florida

  • Coverage of ISO 14971:2019, IEC 62304; amd1, and IEC/TR 80002-1.
  • System level hazards analysis – mapping to software, cybersecurity, and usability
  • Why FMEA is incomplete for medical device risk management.
  • How to perform software hazards analysis.
  • And more!

3-days onsite with group exercises, quizzes, examples, Q&A.

Early Bird Discount Registration through September 30, 2022.  Reserve your spot!

Register here: https://events.eventzilla.net/e/2023-softwarecpr-public-training-course–iso-14971-medical-device-risk-management-a-software-organizations-perspective-2138576610

 

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.