The FDA states in their General Principles of Software Validation; Final Guidance for Industry and FDA Staff, issued in 2002, “Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use, as required by 21 CFR 820.70(i). This requirement applies to any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality system. In addition, computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements. (See 21 CFR 11.10(a).) Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.”
A very common misunderstanding of this validation requirement is that FDA compliance can be met by having their software vendors “validate” the software they are selling. Software vendors cannot sell you “FDA approved software” or “FDA validated software” because it is not the software itself that is validated, it’s the way the software is used in your business and your processes that needs to be validated.
Software vendors that specialize in selling to the medical device marketplace have many standard features built into their software that help reduce the complexity of regulated processes. By building into their products domain expertise, access to expert training content, regulatory notifications alerts, and best practices, medical device software can enable your organization to comply with regulations that include 21 CFR Part 11, 21 CFR Part 820, GMP, ISO13485, ISO9000, and other regulatory standards. However, this does not mean that the software is FDA approved! The manufacturer has to go through the validation process as part of evaluating the effectiveness of both software and processes that leverage the software.
As an example, one of the most frequent FDA 483 warning letters sent year after year concerns a medical device company’s complaint files. Specifically, establishing and maintaining procedures for receiving, reviewing and evaluating complaints (21 CFR 820.198(a)). Medical device-specific software has all the information that is needed for this type of reporting and can easily handle submission processing using the FDA’s MedWatch 3500A form. How a company analyzes this information for severity and trends so they can identify where there might be quality issues, risk of recalls or opportunities for product design improvement is a procedure and falls outside the software. It is the combination of the software, how the software is used in your business, and all the procedures surrounding it that requires validation.
A large part of the FDA software validation effort requires a company to develop scripts around their Standard Operating Procedures (SOP). These scripts are then used as a template to verify when information is entered and processed, the results are as expected. The FDA has long-established validation as a core requirement of quality assurance for medical device manufacturers. Still, many companies continue to fail to include validation programs. This can prove very costly when discovered by an inspector. Validations need to be done not only upon the initial implementation but upon every major upgrade. Over the last few years, lack of validations have been a common source of FDA 483 warning letters.