Keys to Avoiding Regulatory Compliance Landmines
As medical devices, including in vitro diagnostics, increasingly incorporate sophisticated software components, understanding and complying with FDA guidance on software documentation is crucial. Recent updates to FDA guidance have intensified the focus on the required elements for pre-market submission relative to software, including Off-The-Shelf (OTS) software, to ensure safety and efficacy.
Overview of FDA Software Documentation Recommendations
The FDA’s multiple guidance on software stress the importance of comprehensive and risk-based documentation for software as or in medical devices (SaMD/SiMD):
- Comprehensive Documentation: All software components must be thoroughly documented, detailing their functionality, integration, and overall impact on device safety. Documentation should include elements such as data flow diagrams and pertinent architectural views that describe not only the software, but the ecosystem in which it operates.
- Risk-Based Documentation Approach: Documentation should be proportional to the software’s potential risks. This risk-based approach focuses on the impact to patient health and safety. A thorough risk assessment will assist in determining between Basic and Enhanced documentation levels:
- Basic Documentation Level: Suitable for lower-risk software where Enhanced Documentation does not apply thus requiring standard documentation details.
- Enhanced Documentation Level: Required for higher-risk software that could present a hazardous situation with a probable risk of death or serious injury, either to a patient, user of the device, or others in the environment of use, necessitating more extensive documentation to cover detailed testing results and risk mitigation strategies.
Integration of Software Documentation within Quality Systems
For many organizations, software documentation requirements are not adequately covered by their quality system and related procedures. Software documentation should seamlessly integrate into an organization’s quality management system, enhancing overall device quality and compliance:
- Quality System Compliance: Software documentation practices must align with the quality system regulations (QSR), ensuring traceability, control, and verification of all software-related activities.
- Incorporation into Design Controls (21 CFR 820): Documenting software requirements is critical and should be an integral part of design controls (e.g., planning, DIDO, validation/verification, etc…), focusing on functionality, safety, performance, and interoperability. Routine software updates, such as changes to component libraries, UI changes, security updates, and bug fixes, should be accounted for in any applicable procedures.
- Supplier Management: Considerations for supplier management including maintaining appropriate support agreements that allow for critical software updates are paramount. Software suppliers introduce novel risk and manufacturers must ensure that supplier risk is managed appropriately. As proprietary software may not allow for alternative suppliers, concerns around access and maintainability need to be addressed.
Challenges with Off-The-Shelf Software
OTS software is ubiquitous within the medical device landscape; however, it does pose specific challenges:
- Perceived Ambiguity on Scope: Because the analysis of software function is critical to determining the Documentation Level and need for specific documentation, device manufacturers may miss which OTS components require validation, verification, and documentation.
- Limited Supplier Documentation: Often, the documentation provided by OTS suppliers is inadequate, complicating compliance efforts related to verification/validation, traceability, risk management, and change controls.
- Lack of Comprehensive SBOM: The absence of detailed Software Bill of Materials (SBOM) from suppliers makes it difficult to fully understand software components, necessitating robust internal documentation efforts. Many providers of research use only (RUO)/investigational use only (IUO) devices may not have robust documentation that meets regulatory requirements.
- Unclear Update Process/Strategy: Suppliers of software may not have mature update/upgrade paths and support for critical fixes may be lacking. Access to source code is often non-existent making updates from the provider exclusive.
Strategic Approaches to Effective Software Documentation
Addressing the challenges of software documentation requires strategic actions:
- Developing Internal Documentation: To compensate for supplier gaps, device sponsors should develop detailed internal documentation and procedures that covers all aspects of software usage and compliance. This includes documenting requirements and creating a manual SBOM if necessary. It’s important to note all of the component libraries and embedded frameworks. Absent information from the provider, you may need to perform binary analysis to identify the constituent parts.
- Regular Software Audits: Conducting regular audits against, for example, production versions, open bugs/defects, and evidence of validation/verification, ensures ongoing compliance and helps address changes in software or regulatory standards effectively.
- Engaging with Suppliers: Manufacturers should work closely with suppliers to obtain necessary documentation and encourage the provision of comprehensive SBOMs.
- Conformance to Standards: Ensuring suppliers conform to widely accepted standards for software development and quality (IEC 62304:2006, ISO 14971:2019, IEC 62366, and ISO 13485) can assist in assessing risk and validating overall requirements.
Practical Implications for Device Manufacturers
Manufacturers must ensure that their documentation processes are well-integrated into their quality systems and aligned with regulatory expectations:
- Robust Design Validation: Software documentation should be part of design validation, confirming that the device meets user needs and intended uses, particularly when software components are integrated.
- Risk Management Integration: Software risks must be thoroughly managed within the device’s overall risk management framework, documenting all mitigation strategies and their effectiveness.
- Updates/Patching: Manufacturers must ensure that updates from suppliers are obtained regularly and that they are evaluated for impact to functionality, accuracy, reliability, and risk prior to implementation. Updates and patches should also be evaluated relative to any regulatory approvals, clearances or applications.
How Beaufort Can Help
Robust software documentation is vital for the clearance and safe use of medical devices both in development and already on the market. By understanding and adhering to the latest FDA guidelines and incorporating comprehensive documentation practices into quality systems, manufacturers can maintain and enhance device safety and efficacy. Beaufort’s has extensive expertise in software and regulatory compliance requirements and provides manufacturers with the support needed to navigate these complex requirements, including:
- Gap Analysis and Remediation
- Software Component Identification and Inventory
- Documentation Assessment
- Quality Management System Assessment
- Software Contract Review
- SOP Development
- Staff Training
Contact us today to learn more and schedule an introductory meeting.