Commercial off-the-shelf (COTS) software has dramatically enhanced medical device manufacturers’ ability to accelerate production, integrate processes, and manage quality effectively. Without straightforward guidance from regulators like the U.S. Food and Drug Administration (FDA), however, validation can be so overwhelming, impractical, and time consuming that it actually impedes progress. Even the FDA’s CSV (Computer System Validation) Team found that validation burdens and costs often deter organizations from investing in purpose-built technologies, which in turn inhibits quality best practices and can lead to violations. (1)
Recently – and as the result of the surge in the development of innovative medical devices that incorporate software – the FDA has provided more direction for validating off-the-shelf (OTS) software embedded within devices themselves (such as the software running in microchips encased in cochlear implants, for example) than it has for validating COTS software device companies may use to manufacture their devices. Regarding the former, the agency’s issuance of the Off-The-Shelf Software Use in Medical Devices guidance in 2019 provided helpful principles for establishing validation plans and design controls for off-the-shelf software use in medical devices. However, when it comes to general guidance for validating commercial off-the-shelf software, FDA directives are nearly 20 years old (as outlined in the General Principles of Software Validation; Final Guidance 2002). A draft guidance for Computer Software Assurance (CSA) for Production and Quality System Software is currently scheduled for publication. Once a final guidance on the topic is released, it should clarify expectations and help minimize validation inefficiencies. (2)
Until an official CSA guidance is issued, medical device manufacturers are largely sticking to traditional methods of COTS software validation that have been cobbled together from various 21 CFR regulations. Conventional tactics essentially entail implementing the following sequential steps:
This traditional approach is evolving to a more meaningful and effective form of validation that is far more efficient, and we owe to technological innovations and the increasing regulatory emphasis on risk.
The risk-based approach to COTS software validation that regulators are increasingly promoting must be grounded critical thinking. When you have a carefully considered, vendor-supported process – and the documentation to support it – in hand, it’s easy to defend the system you’re using and its functionality. With documented critical thinking at the center of all validation activities, your efforts should always be:
Point No. 4 is particularly important, as the responsibility for maintaining validation documentation is shifting more to software providers, according to Erin Wright, MasterControl product management director over validation. (3)
Just as device manufacturers are always looking for ways to reduce validation burdens, software vendors are continually looking for ways to help their clients accelerate validation processes. By leveraging the validation work vendors have already performed, device companies can focus their testing efforts on the features of the COTS software they implement that are most critical to their business practices.
One patented solution, the MasterControl Validation Excellence Tool, aka VxT (U.S. Pat. 10,324,830), streamlines the risk evaluation process by providing prepopulated assessments of software feature risks and mitigations, which allows companies to devote more attention to specific usage testing and critical business processes. By combining the VxT risk-evaluation tool with a software life cycle and best-practice testing approach, first time use validation can be reduced from months to approximately 20 hours.
As the burden of validation continues to transfer from device manufacturers to software as a service (SaaS) providers, there will be fewer expectations on users to perform testing on their software configurations because automated testing will be incorporated into the software products, according to Wright.
“When software vendors build testing into every feature, the minute users complete their configuration an automated test is ready to be executed just for them,” Wright said. “From the users’ perspective, this will require no additional effort or testing.” (4)
That would mean validation testing could be re-executed instantaneously any time a new software feature was released. This is a crucial requirement as life sciences software industry moves to continuous integration/continuous delivery (CI/CD) methodologies currently used in unregulated software. In the not-too-distant future, validation work and documentation templates will be completed by the software developer beforehand, so formal validation will virtually handle itself.
To learn more about modern validation tools and the future of validation, watch Wright’s “Going Beyond CSV to Self-Validating Software” presentation.
Enjoying this blog? Learn More.
Do I Need to Validate? How to Make an Informed Decision in 4 StepsDownload Now