Medical Device

FDA: Software Assurance guidance for Production and Quality System Software

Tue, 20 Feb 2024 04:16:23 +0000

This draft guidance is intended to:

Computer Software Assurance is a risk-based approach to establish confidence in the automation used for production or quality systems, that software is fit for its intended use.
CSA focus on preventing the introduction of defects into the software development process, identify & fit suitable additional rigor where it is required.
Describe various methods and testing activities that may be applied to establish CSA and provide objective evidence to fulfill regulatory requirements (i.e Computer Software Validation requirements in 21CFR part 820).

Scope:

This draft guidance to provide recommendations on Computer Software Assurance for computers and automated data processing systems used as part of medical device production or the quality system.
This guidance provides additionally discusses specific risk considerations, acceptable testing methods, and efficient generation of objective evidence for production or quality system software.

Steps in CSA Approach:

The CSA risk framework focuses on four following steps:

Identifying the intended use (use of the software feature or function)
Determining the risk-based approach
Determining the appropriate assurance activities
Establishing the appropriate record

Identifying the Intended Use:

21 CFR 820.70(i) requires any software that is used as part of the production or quality system needs to be validated for its intended use
In general, software can be categorized as:
1. Direct Impact: Software being used for a production or quality system process. Ex: Software intended for automating production/quality processes, inspection, testing, or the Collection and processing of production/quality system data or maintaining a quality record under the regulation.
2. Indirect Impact: software that supports a production or quality system process. Ex: Software intended for use as development tools that test or monitor software systems or that automate testing activities for the software used as part of production or the quality system, such as those used for developing and running scripts. And used for automating general record i.e not part of the quality record.
Any category of Software may have one or more intended uses depending on the individual features, functions, and operations of that software. However, it is essential to thoroughly understand the features, functions, and operations of a software when determining the intended use.
Based on complexity of software, and operations have different roles, they may produce different risks to product quality & Patient safety.
FDA recommends that manufacturers examine the intended uses of the Individual features, functions, and operations to facilitate development of a risk-based assurance strategy with different assurance activities for individual features, functions, or operations. Ex: A commercial off-the-shelf (COTS) software is used to document time and temperature data for a curing process. Manufacturer may not need to perform additional assurance Activities beyond. These below mentioned are Sufficient to establish that the software is fit for its intended use.
What the COTS software developer has already conducted in terms of validation
Conducting a vendor assessment
Software installation and configuration

Determining the Risk-based Approach:

After determines that software intended use as part of production or the quality system, FDA recommends using a risk-based analysis to determine appropriate assurance activities.
The CSA’s risk-based approach suggests classifying software as either “high process risk” and “not high process risk”.
- High process risk:
  - When software does not perform as intended, it may result in a quality problem that may foreseeably compromise safety. meaning an increased medical device risk. Ex:Analyze acceptability of product without manual intervention.A software that can monitor and maintain temperature, pressure, or humidity in a sterile room and failure of which can impact product quality drastically.
- Not high process risk:
  - Where software doesn’t perform as intended, would not result in a quality problem that foreseeably compromises safety. As well as situations where failure to perform as intended may result in a quality problem that may not foreseeably to compromise safety. Ex:
    - A software that is used as part the quality system for CAPA routing, automated logging/ tracking of complaints, automated change control management / automated procedure management.
    - Collect and record data from the process for monitoring and review purposes that do not have a direct impact on production or process performance and software used to support production or the quality system.
Manufacturers can also choose to further categorize these software as “moderate”, “intermediate”, or “low” to determine assurance activities; however, FDA will consider them under “Not high process risk” category only.

Determining the Appropriate Assurance Activities:

For high process risk software, FDA suggests perform scripted testing or limited scripted testing as appropriate.
1. Scripted testing: In which the tester’s actions are prescribed by written instructions in a test case step by step with evidence. Scripted testing includes both robust and limited scripted testing.
2. Robust scripted testing: Scripted testing efforts in which the risk of the computer System or automation includes evidence of repeatability, traceability to requirements, and auditability.
3. Limited scripted testing: A hybrid approach of scripted and unscripted testing that is appropriately scaled according to the risk of the computer system or automation. This approach may apply scripted testing for high-risk features or operations and un scripted testing for low to medium-risk items as part of the same assurance effort.
For not high-risk software, FDA suggests perform un-scripted testing. Testing methods such as ad-hoc testing, error-guessing, exploratory testing, or a combination of methods that is suitable for the risk of the intended use.
1. Unscripted testing: Dynamic testing in which the tester’s actions are not prescribed by Written instructions step by step and no need to collect evidence. It includes:
2. Ad-hoc testing: A concept derived from un scripted practice that focuses primarily on performing testing that does not follow on large amounts of documentation to execute (e.g., test Protocol) or documenting evidence.
3. Error-guessing: A test design technique in which test cases are derived on the basis of the tester’s knowledge of past failures or general knowledge of failure modes.
4. Exploratory testing: Experience- based testing in which the tester spontaneously designs and executes tests based on the tester’s existing relevant knowledge, prior exploration of the test item (including results from previous tests), and heuristic “rules of thumb” regarding common software behaviors and types of failure.
5. Exploratory testing looks for hidden properties, including hidden, un anticipated user behaviors, or accidental use situations that could interfere with other software properties being tested and could pose a risk of software failure (towards patient safety).

Establishing the Appropriate Record:

Sufficient document evidence required to demonstrate that the software feature, function, or operation was assessed and performs as intended. In general, the record should include the following:
1. The intended use of the software feature, function, or operation;
2. Risk-Based Analysis: The determination of risk of the software feature, function, or operation;
3. Documentation of the assurance activities conducted: Includes description of the testing conducted based on the assurance activity (test steps, test results, tester details);
4. Issues found (e.g., deviations, failures) and the disposition
5. Conclusion statement declaring acceptability of the results
6. The date of testing/assessment and the name of the person who conducted the testing/assessment
7. Established review and approval when appropriate (e.g., when necessary, a signature and date of an individual with signatory authority)
Documentation of assurance activities need not include more evidence than necessary to show that the software feature, function, or operation performs as intended for the risk identified. And FDA encourages the industry to use system- generated objective evidence such as system logs, audit trails rather than the traditional paper-based test scripts and screenshot evidence.

Tags: 21 CFR part 820, Compliance Testing, FDA Compliance, FDA Guidance, Health Tech, Medical Device, Quality Systems, Regulatory Compliance, Risk Analysis, Software Assurance, Software Validation

Language requirements for Manufacturers – Europe

Tue, 13 Feb 2024 11:42:31 +0000

Different legal provisions outlined in Regulation (EU) 2017/745 on medical devices (MDR) permit Member States to establish national language requirements for makers of device companion materials. If Member States have taken advantage of the opportunity to establish language requirements for manufacturers, the following table provides an overview of the national rules. It is optional for Member States to choose a single language.

The below information is provided based on the information available to the Commission services following a consultation of the Medical Device Coordination Group (MDCG) in October 2023.

Country	Label/IFU (Art. 10 (11), Annex I, section 23, MDR)		Implant card (Art. 18 (I) MDR)	Declaration of conformity (Art 19 (I) MDR)	Field safety notice (Art. 89 (8) MDR)	Documents for conformity assessment (Art. 52 (12)	(Graphic) user interface (e.g. Apps)
Country	Patient/lay user	Professional user					Patient/lay user	Professional user
Austria	German	German or English	German	German	German	German or English
Belgium	French, Dutch and German	French, Dutch, German or English	French, Dutch, German or English (choice of the patient)	French, Dutch, German or English	French, Dutch and German; in case user is a healthcare professional English is allowed	French, Dutch, German or English	Considered as the Label/IFU information: French, Dutch and German	Considered as the Label/IFU information: French, Dutch and German or English
Bulgaria	Bulgarian	Bulgarian
Croatia	Croatian	Croatian and/or English (declaration/agr eement of professional user needed). “or” is to be read as without prejudice information supplied should be clearly comprehensible to the intended user	Croatian as the card is intended for patients	Croatian and/or English	Croatian and/or English	English	elements linked to performance or safety should follow the same rules as label/IFU.	linked to performance or safety should follow the same rules as label/IFU
Cyprus	Greek	Greek or English	Greek or English	Greek or English	Greek or English	Greek or English	Greek	Greek or English
Czech Republic	Czech	Czech	Czech	Czech, Slovak or English	Czech	Czech, Slovak or English	Czech	Czech or English
Denmark	Danish	Danish; English possible upon request	Danish, exception English				Danish	Danish
Estonia	Estonian	Estonian or English	Estonian or translated into Estonian	Estonian or English	Estonian, initial FSN for urgent cases can be submitted in English	Not stated in the national law, but in practice we accept Estonian or English	Interpretation of the requirement nts: no certain requirement to translate GUI, but the manufacturer has to assess and establish a suitable way to inform the potential/intended user(s).	Interpretation of the requirement nts : no certain requirement to translate GUI, but the manufacturer has to assess and establish a suitable way to inform the potential/intended user(s).
Finland	Finnish and Swedish For Custom made MD: Finnish or Swedish, or both, depending on patient/customer need.	Finnish, Swedish or English.However, information necessary for ‘safe use’* must be in Finnish and Swedish.The Manufacturer must determine, based on a risk assessment, which information is necessary for safe use.	Finnish, Swedish and English	Finnish, Swedish or English	To be created in languages which are necessary for safety	Finnish, Swedish or English	Not specified, but GUI is in general treated similarly to IFU	Not specified, but GUI is in general treated similarly to IFU
France	French	French	French	French	French	French	French based on the general safety and performan ce requirements	French or English based on general requireme nt taking into account the skills and the means available to the users and the influence resulting from variation that can be reasonably anticiped in the user’s technique and environment
Germany	German	German or English or users	German	German or English	German	German or English	N/A	N/A
Greece	Greek	Greek For MDD,exceptionally in English (after CA approval)				Greek and/or another EU language accepted from the NB
Hungary	Hungarian	Hungarian	Hungarian		Hungarian	Hungarian
Ireland	English language or English language and Irish language	English language or English language and Irish language	English language or English language and Irish language	English language or English language and Irish language	English language or English language and Irish language	English language or English language and Irish language
Italy	Italian	Italian	Italian and English		Italian	Italian or another EU language accepted by the NB
Latvia	Latvian	Latvian or English if a medical device is intended to be used only in a health care facility and a consent of the health care facility is provided regarding use the foreign language	Latvian	Latvian	Latvian	Latvian	Latvian or English if an explanation n of functions is available in the IFU	Latvian or English if a device is intended to be used only in a health care facility and a consent of the health care facility is Provided
Lithuania	Lithuanian	Lithuanian			Lithuanian
Luxembourg	French, German or Luxembourgish(for MD)French or	French, German or Luxembourgish or English (for MD) French or German (for AIMD)	French or German for AIMD French, German or Luxembourgish for MD	French or German and/or a language accepted by the notified body	French or German for AIMD French, German or Luxembourgish for MD	French or German and/or a language accepted by the notified body	French or German for AIMD	French, German or Luxembourgish or English French or German (for AIMD)
Malta	Maltese and/or English	Maltese and/or English	Maltese and/or English	Maltese and/or English	Maltese and/or English	Maltese and/or English	Maltese and/or English	Maltese and/or English
The Netherlands	Dutch	Dutch or English	Dutch	Dutch or English	Dutch or English	Dutch or English
Poland	Polish	Polish or English	Polish	Polish – lay user English – professional user	Polish	Polish or English	Polish or English but IFU in Polish With the exception of devices intended for use in life and health emergencIes	English
Portugal	Portuguese	Portuguese	Portuguese The publication of the national legal framework for the MDR is still pending.	Portuguese (although English is accepted – current procedure) The publication of the national legal framework for the MDR is still pending.	Portuguese	Portuguese (although English is accepted – current procedure) The publication of the national legal framework for the MDR is still pending.
Romania	Romanian	Romanian or English (written consent of healthcare professional needed)		Romanian or English		Romanian or English (with approval of the CA)
Slovakia	Slovak Label in ENG if intended for a professional use	Slovak	Slovak	Slovak or English	English	language accepted by the NB (mostly SVK or ENG)	Slovak	English has to be explained in the Slovak IFU
Slovenia	Slovene	Slovene For professional u se: the instructions for use can be written in the language understandable for the user. (Normally English is acceptable	Slovene	Slovene	Slovene		Slovene	Slovene; For profession al use: the instruction s for use can be written in the language understan dable for the user. (Normally English is acceptable
Spain	Spanish	Spanish	Spanish		Spanish
Sweden	Swedish	Swedish	Swedish or English	Swedish or English	Swedish	Swedish or a language accepted by the notified body
Iceland	Icelandic, allowed to be in English or Nordic language except Finnish for class I and IIa	Icelandic or English	Icelandic	Icelandic or English	Icelandic or English	English	Icelandic, allowed to be in English or Nordic language except Finnish for class I and IIa	Icelandic or English
Liechtenstein	German	German or English, if certain requirements are met	German	German or English	German
Norway	Norwegian	Norwegian	Norwegian	English or Norwegian	Norwegian	English	Norwegian	Norwegian
Turkey	Turkish	Turkish Exception: Label may be in English (with approval of the CA)	Turkish and, if necessary,English	Turkish	Turkish	Turkish	Turkish	Turkish or English provided that IFU are presented in Turkish

Tags: Compliance, EU Regulations, Europe, Healthcare, Language Requirements, Manufacturers, MDR, Medical Device, Medical Technology, Regulation 745