FDA's expectation for validating OTS software updates

Mark Meer

Trusted Information Resource
#1
Consider a system that includes a computer (running Windows OS) on which software is installed to run a (low-risk) medical device. As we all know, Microsoft issues Windows patch updates on a regular basis (daily/weekly), and major revisions or new versions approximately bi-annually. The ideal-world expectation that device software is revalidated following any changes to Windows OS quickly becomes unreasonable in most cases.

I would expect that validation efforts should be commensurate with the risk involved. But in a recent inspection, our claim that even in the worst-case of software failure there is no risk was insufficient justification for lack of documented revalidation of software following Windows updates.

So my questions are:
  • Are there any FDA documents that explicitly tie scope of validation efforts to risk? I'd like some authoritative ammunition to argue our position.
  • How do others handle Windows updates and revalidation of device software? The inspector said we should have a process for revalidating software before users may install Windows updates. How is this possible?
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
Re: FDA's expectation for validating OTS software updates?

  • Are there any FDA documents that explicitly tie scope of validation efforts to risk? I'd like some authoritative ammunition to argue our position.
Certainly the guidance on general principles of sw validation talk about a risk-based approach: http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm085281.htm

The guidance, though, focuses on software changes and doesn't really address environmental changes.

  • How do others handle Windows updates and revalidation of device software? The inspector said we should have a process for revalidating software before users may install Windows updates. How is this possible?
You could deliver a locked-down computer with the software where you have complete control over the environment. That's obviously impractical for most cases (although a case could be made for it if the software was life sustaining). If you just deliver software and user's load it on their PCs, it's not possible to re-validate before the changes are realized (there's also the problem of not completely knowing the environment - OS versions, platforms, browsers used / versions, etc.). You might consider monitoring when Windows updates are rolled out (which will depend on the OS versions!), do some nominal (automated?) testing to ensure no obvious impact, and hope nothing falls apart. Maybe come up with a risk-based rational to do this on a weekly basis (don't patches typically roll out on Tuesdays?). That would mean your customers could "live" with potentially faulty system for a period of time.

Definitely a tough nut to crack. It sounds like your inspector has a fairly dated mindset about software and environmental control. Overcoming that may be the biggest challenge.
 

Mark Meer

Trusted Information Resource
#3
Re: FDA's expectation for validating OTS software updates?

You could deliver a locked-down computer with the software where you have complete control over the environment.
Yes, we've considered this. If we were to redo the whole project, I'd insist on a more "controllable" OS platform (like linux, unix...). Windows, as far as I know, has very limited options in terms of ensuring updates cannot happen. We disable automatic updates, but apparently this does not cover notification of major updates (e.g. 8.0->8.1 or likely the anticipated "upgrade to Windows 10 for free!").

That would mean your customers could "live" with potentially faulty system for a period of time.
This is my concern. The best we can do, as far as I can tell, is to get a copy of new OS releases as soon as possible and test. I don't think there's anyway to actually confirm there are no issues before a user might accept a Windows update.
 

JJ_FDA

Involved In Discussions
#4
Re: FDA's expectation for validating OTS software updates?

Don't changes to the OS, including installing Windows Update updates, typically require administrator permissions to effect?

It's also worth noting that certain Windows Update patches have been known to cause serious problems with the OS in the past. Are you willing to live with having to re-animate a non-functional system?

Depending on your auditor, switching to some flavour of Linux (and sometimes Unix) may cause you more validation problems as they may not consider the OS as COTS. It's happened to me before :/
 

Mark Meer

Trusted Information Resource
#5
Re: FDA's expectation for validating OTS software updates?

Depending on your auditor, switching to some flavour of Linux (and sometimes Unix) may cause you more validation problems as they may not consider the OS as COTS.
Interesting. So your auditor did not consider Linux as a COTS? What was the basis? Because it was free? ...or did you highly customize it (e.g. modify the source code)?
 

JJ_FDA

Involved In Discussions
#6
Re: FDA's expectation for validating OTS software updates?

Because Linux wasn't well-known or have the credibility of Microsoft's or Apple's products, basically. Adequately validated, I don't see the problem.
 

MC Eistee

Starting to get Involved
#7
Even though this thread is more than a year old now, I would like to push it back up again.

Our company is currently thinking about upgrading to Windows 10.

For Windows 7 we found a way to handle patches and updates.

Patches are pushed to the computers of the responsible person for a computerized system two weeks earlier before everyone else gets those patches (as we expect that patches do not change the intended use of a function) and they do some UATs. For Updates (Service Packs) the software validation process is used.

Windows 10 is a bit more difficult:
Updates are applied every month or even more often (!) and it isn't differentiated between patches and functional updates.
Out of my current thinking functional changes to the OS would require a revalidation of the affected computerized systems.

As you cannot split between patches and functional updates you should better take the full update.

Our current solutions to handle Windows 10 are:
- Argument why a computerized system does not depend on the OS. For example web based applications
- Automated testing
- Virtualizing the application in for example Citrix under Windows 7
- Staying with a LTSB Version (Versions of Windows 10 that do not get frequent updates. Also no security patches.)
- Staying with Windows 7

Does anyone has some more ideas on how to handle Windows 10?
 

yodon

Staff member
Super Moderator
#8
First off, what is the risk of having the software go south after a patch? If low risk then maybe you take the patches and do a periodic review.

If high risk then maybe the frequent automated testing is a better solution.
 

MC Eistee

Starting to get Involved
#9
Thank you for this answer.

For the majority of application the risk is very low. This is now documented. For some critical applications we aim for automated tests.
 
Thread starter Similar threads Forum Replies Date
S FDA expectation of Concessions - Changes to a DMR ISO 13485:2016 - Medical Device Quality Management Systems 10
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
G Does FDA allows remote approvals of quality documentation. Is there any specific guidance on signing any quality records remotely? Document Control Systems, Procedures, Forms and Templates 1
B Does FDA Registration QSR need to cover non-medical devices for contract repackager? US Food and Drug Administration (FDA) 1
C Non-sterile reusable surgical instruments - FDA sterilization requirement Other Medical Device Related Standards 2
D FDA Information - Revising the Instructions for Use US Food and Drug Administration (FDA) 0
S Transitional Adolescent A and B - "CDRH PREMARKET REVIEW SUBMISSION COVER SHEET FORM FDA 3514" Medical Device and FDA Regulations and Standards News 1
B FDA requirement for CAPA Signoff ISO 13485:2016 - Medical Device Quality Management Systems 6
P MSDS for MVQ FDA White, Vinyl Methyl Silicone Rubber EU Medical Device Regulations 4
S Manufacturing Process FDA FOIA Medical Device and FDA Regulations and Standards News 3
S Manufacturing Process FDA FOIA US Food and Drug Administration (FDA) 4
S Mechanical Test Under FDA Freedom of Information Act Medical Device and FDA Regulations and Standards News 5
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
M Supplier requirements - Major supplier is a Non-Profit registered with ICCBBA (FDA UDI) Supply Chain Security Management Systems 12
C RA (Regulatory Assurance) Training (FDA) looking for resources Training - Internal, External, Online and Distance Learning 5
E FDA 513(g) Cover Letter US Food and Drug Administration (FDA) 5
S Records - Do's and don't' of record entries (FDA - 21 CFR 820) Records and Data - Quality, Legal and Other Evidence 13
B New Facility register with FDA Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 4
K 510k FDA review, will they accept Biocompatibility result generated using feasibility product lots? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 8
J FDA regulation on decorative contact lenses Medical Device and FDA Regulations and Standards News 5
P Anyone have an Idea on UAE Medical device registeration- Class B with FDA only Other Medical Device Regulations World-Wide 0
F FDA classification for a mobile app Medical Information Technology, Medical Software and Health Informatics 3
Ed Panek IFU Contact Requirements - FDA and MDD/MDR US Food and Drug Administration (FDA) 1
O Any info on release date of FDA “Computer Software Assurance for Manufacturing and Quality System Software” document? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
P Writing a presubmission to the FDA prior to the De novo submission US Food and Drug Administration (FDA) 4
K FDA - Can we have more than 1 Initial Importer Medical Device and FDA Regulations and Standards News 4
K Two FDA questions regarding UDI (and potentially 803.52 MDR) Other US Medical Device Regulations 0
R Importers - For the FDA Registration/ Listing, is the CMO the importer? Medical Device and FDA Regulations and Standards News 6
Z Iterative development and FDA change requests IEC 62304 - Medical Device Software Life Cycle Processes 13
P FDA Approved Product Contact Parts ISO 13485:2016 - Medical Device Quality Management Systems 6
O Clarifying FDA definition of "finished device" and “capable of functioning” 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A FDA guidance on non-sterile Medical Device Packaging Medical Device and FDA Regulations and Standards News 7
JoCam FDA Registration for Sub-contract manufacturers Medical Device and FDA Regulations and Standards News 2
M FDA News FDA Releases Draft Guidance Clarifying Application of ISO 10993-1 Biocompatibility Standard Medical Device and FDA Regulations and Standards News 0
M Is IEC 60601-1-2 required by FDA for all electronic medical devices? IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
E Contract manufacturer FDA requirements foreign company US Food and Drug Administration (FDA) 6
P Choice of FDA reviewer US Food and Drug Administration (FDA) 6
J Is Device Tracking Card an actual requirement under FDA regulation? Other US Medical Device Regulations 0
T Definition Human Use (FDA) Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 7
K FDA 510k electrosurgery 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
J Leveraging FDA 510k Clearance for International Registrations Other Medical Device Regulations World-Wide 2
shimonv FDA News FDA guidance on Multiple Function Device Products (8/2020) Other US Medical Device Regulations 1
N FDA UDI - Label vs. Labeling - Does the insert need to include UDI? Other US Medical Device Regulations 1
J FDA notification of address change US Food and Drug Administration (FDA) 2
N Usability testing required for FDA IDE (investigational device exemption)? Human Factors and Ergonomics in Engineering 8
A FDA Class Classification for a cabinet 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
L FDA Biocompatibility Requirements - Transitory Contact Other US Medical Device Regulations 1
Edward Reesor FDA DM and /or Class I Life Saving US Food and Drug Administration (FDA) 0
Watchcat FDA will not tolerate fraud…meaning what, exactly? Other US Medical Device Regulations 8
K FDA Premarket Cybersecurity Guidance - 4 questions Other US Medical Device Regulations 5

Similar threads

Top Bottom