Computer Software Validation

[SallyOV]

Hi,

I would appreciate your valuable inputs regarding the below points:

1. Where should the line be drawn regarding the applicability of the requirement to validate a computer software application? I specifically reviewed the FDA's draft guidance (Computer Software Assurance for Production and Quality System Software), but it still doesn't seem clear for concrete cases such as software used to generate files for 3D printing intended for formative testing, or a code editing tool for a SaMD. Both are used in connection with a medical device, but how can we determine the approach without falling into the burden of treating everything as a tool that requires validation? In the end, I’m afraid I might conclude that the entire MS suite needs to be validated since it’s used to draft the technical documentation—or even a VPN, for that matter.

2. When a software tool has been fully developed in-house, does the validation need to be done in the same way as for a SaMD?

Many thanks for your help!

 

[yodon]

It needs to all boil down to risk. Your non-product software validation program should be structured such that higher risk applications require greater effort for validation. For example, you mention the MS suite. You're going to fully review the 'outputs' of MS Word so effectively no validation is required. The risk of the 3D printed item used in formative testing is also quite low and you probably have suitable checks to know it printed what you wanted. (There might be a good argument for ensuring proper controls over the files but that's pretty minor.)

You're on a good path (IMO) with the FDA draft guidance. I recommend an overall plan to establish your risk-based categories and validation approaches. Be smart about the validation work: validate what truly has potential impact.

 

[srkn14]

Per my knowledge, if the software is Patient Sample testing, then SaMD regulations (Product developed and validated per IES62304) applies. All other tools/ Apps are validated as COTs systems.

 

[v9991]

Risk based approach is the recommended and required process to determine the need of validation.

Cited Examples.	Consideration	general assessment
Software used to generate files for 3D printing intended for formative testing	Are the devices from this stage used in any pre-clinical studies etc., ? do we have separate setup for normative and verification/validation studies?	not relevant/required minimal IT Governance controls
code editing tool for a SaMD	how is configuration managed/maintained for the codes.	not relevant / required basic IT governance enough
MS Suite used for technical documentation	does it include adopting the fields/macros etc? date/time fields designing forms with constraints.	not relevant / required maintain version control
in house developed software tools	purpose, scope of operations.	YEs, relevant and required.