FDA Revisits Validation for Production Computer Systems

The FDA has released a draft guidance for computer software assurance (CSA), which when finalized will represent a significant change in how the agency regulates computer systems used in device manufacturing facilities. The draft guidance offers less burdensome methods for validating the operation of these computer systems by providing a new approach to risk assessment.

The scope of this draft guidance is restricted to software that is used as part of a production system and/or part of the manufacturing site’s quality management system, and does not include software as a medical device or software in a medical device. The draft guidance would not replace a 2002 guidance that describes the general principles of software validation, but instead will replace Section 6 of the software validation guidance from 2002, which addresses validation of automated process equipment and quality system software.

The FDA stated that the draft is responsive to manufacturers’ adoption of novel manufacturing technologies, and that the agency’s awareness of these issues has been furthered by its participation in the Medical Device Innovation Consortium (MDIC). Manufacturers have expressed an interest in a more agile approach to software validation for computers used in compliance and production systems because of the rapid advances in the software used for these purposes.

In this draft guidance, the FDA proposes two categories of risk for computer systems used in production and compliance activities. A software function is presumed to present a high process risk when a failure of the software to perform as intended may result in a quality problem that foreseeably compromises safety and/or effectiveness. The alternate risk category, the non-high process risk, is one in which a failure of the software function to perform as intended would not lead to a quality problem that translates into a compromised state of device safety or performance.

An example of high process risk is a software function that maintains manufacturing process parameters that have an effect on the physical properties of the manufacturing process when those physical properties are essential to device safety and/or quality. A software function that determines the acceptability of a device or a manufacturing process with no human oversight is also a high process risk, as is a function that automatically performs process corrections or adjusts process parameters based on data monitoring or automated feedback from other steps in the manufacturing process.

Among the software functions that would lead to a determination of non-high risk is the collection and recording of data from the manufacturing process for the purposes of monitoring and reviewing the manufacturing process. This is conditional on the assumption that the collected data do not have a direct impact on production or process performance.

Another non-high risk software function is the routing of corrective and preventive action (CAPA) as part of the manufacturing site’s quality system. Software that functions to log and track complaints under the complaint handling system would also be a non-high risk software function, but the draft states that a software function’s actual risk might not fall neatly into a binary of high and low risk. The manufacturer would have to determine which functions may have an impact on device safety and performance and classify that software function accordingly, including instances in which the device software function would seem to represent an intermediate level of risk.

The manufacturer uses its determination of risk to select the type of testing that would apply. For non-high risk functions, unscripted testing may be appropriate, which may include ad-hoc testing and exploratory testing. Scripted testing may be required for high-risk software functions, which may include robust scripted testing, a method that evaluates the repeatability and audibility of that software function. The draft guidance includes an explanation of how to assess and manage the risks associated with the use of commercial off-the-shelf (COTS) software. A given function of COTS may represent different levels of risk, depending on the role that function serves in the manufacturing system or quality management system, but there are scenarios in which the software vendor’s verification of a given function would be sufficient to control the risks associated with that function.