The FDA General Principles of Software Validation
On June 7, 1997, the FDA issued the FDA issued the General Principles of Software Validation, which recommends a comprehensive software development lifecycle (SDLC) that integrates risk management strategies with principles for software validation. The FDA software validation principles are applicable to medical device software or software used to design, develop, or manufacture medical devices. Devices categorized as class II and III, as well as some class I devices are subject to design controls; of these class the following types of software must be validated for FDA approval:
- Software used as a component, part, or accessory of a medical device;
- Software that is itself a medical device (e.g., blood establishment software)
- Software used in the production of a device (e.g., programmable logic controllers in manufacturing equipment); and
- Software used in implementation of the device manufacturer's quality system (e.g., software that records and maintains the device history record).
As an effective means to gain approval, the FDA recommends that medical device software development take an integrated SDLC strategy that merges validation and verification activities, including defect prevention practices such as unit testing, peer code reviews, static analysis, manual testing, and regression testing, throughout the SDLC. The result of such an approach is an emphasis on planning, verification, testing, traceability, and configuration management.
Developing software for medical devices that complies with the FDA's Quality System regulation is a challenging endeavor that's as much a business issue as it is an engineering feat. In this paper, we identify software development challenges that medical device makers face when attempting to integrate the principles outlined by the FDA. Furthermore, we describe how Parasoft's automated defect prevention solutions help organizations overcome the challenges of an integrated SDLC approach. Lastly, we provide a point-to-point index of FDA principles and the Parasoft capabilities that support them.
FDA Software Validation: The Least Burdensome Approach
The FDA guidance does not prescribe specific practices, tools, coding methods or any other technical activity. The FDA, instead, prescribes the seemingly innocuous concept of the Least Burdensome Approach. In this approach, organizations determine, and strictly adhere to their self-defined validation and verification processes.
Development activities and outcomes must be clearly defined, documented, verified, and validated against the organization's process.
The goal of this approach is to give medical device makers enough rope to determine how to best ensure public safety. But in practice, the effect has been that organizations have enough rope to hang themselves. This is because the requirements, expressed in FDA 21 CFR, represent extensive planning and testing, which require validation. The following examples are just a fraction of the total challenges software engineers must overcome:
To read more about what's expected for compliance with FDA General Principles of Software Validation sections 3, 4, and 5, get the complete Achieving FDA Software Validation Compliance white paper.