GxP Lifeline

Simplifying Commercial Software Validation in Medtech Manufacturing


Commercial off-the-shelf (COTS) software has dramatically enhanced medical device manufacturers’ ability to accelerate production, integrate processes, and manage quality effectively. Without straightforward guidance from regulators like the U.S. Food and Drug Administration (FDA), however, validation can be so overwhelming, impractical, and time consuming that it actually impedes progress. Even the FDA’s CSV (Computer System Validation) Team found that validation burdens and costs often deter organizations from investing in purpose-built technologies, which in turn inhibits quality best practices and can lead to violations. (1)

COTS Software Validation vs. OTS Software Validation

Recently – and as the result of the surge in the development of innovative medical devices that incorporate software – the FDA has provided more direction for validating off-the-shelf (OTS) software embedded within devices themselves (such as the software running in microchips encased in cochlear implants, for example) than it has for validating COTS software device companies may use to manufacture their devices. Regarding the former, the agency’s issuance of the Off-The-Shelf Software Use in Medical Devices guidance in 2019 provided helpful principles for establishing validation plans and design controls for off-the-shelf software use in medical devices. However, when it comes to general guidance for validating commercial off-the-shelf software, FDA directives are nearly 20 years old (as outlined in the General Principles of Software Validation; Final Guidance 2002). A draft guidance for Computer Software Assurance (CSA) for Production and Quality System Software is currently scheduled for publication. Once a final guidance on the topic is released, it should clarify expectations and help minimize validation inefficiencies. (2)

Until an official CSA guidance is issued, medical device manufacturers are largely sticking to traditional methods of COTS software validation that have been cobbled together from various 21 CFR regulations. Conventional tactics essentially entail implementing the following sequential steps:

  • Define a set of user requirements.
  • Develop a validation plan.
  • Identify risks and develop a risk management plan (more on risk later!).
  • Determine functional requirements.
  • Write user requirement specification (URS), functional requirement specification (FRS), and test scripts and run tests to ensure the solution is working properly and identify any issues that need to be addressed by the software vendor. In conjunction with this testing – and in coordination with the COTS software provider – installation qualification (IQ), operational qualification (OQ), and performance qualification (PQ) is performed and documented.
  • Develop a validation report.

This traditional approach is evolving to a more meaningful and effective form of validation that is far more efficient, and we owe to technological innovations and the increasing regulatory emphasis on risk.

4 Keys to Taking a Risk-Based Approach to Validation

The risk-based approach to COTS software validation that regulators are increasingly promoting must be grounded critical thinking. When you have a carefully considered, vendor-supported process – and the documentation to support it – in hand, it’s easy to defend the system you’re using and its functionality. With documented critical thinking at the center of all validation activities, your efforts should always be:

  1. Based on actual usage, not isolated functionality.
  2. Concentrated on specific intended usage risk levels for your intended use.
  3. Verifying configuration settings where possible and only validating high-risk use cases.
  4. Leveraging documentation provided by the COTS software vendor to determine gaps or disparities specific to your business.

Point No. 4 is particularly important, as the responsibility for maintaining validation documentation is shifting more to software providers, according to Erin Wright, MasterControl product management director over validation. (3)

A Modern Tool That Facilitates a Risk-Based Approach

Just as device manufacturers are always looking for ways to reduce validation burdens, software vendors are continually looking for ways to help their clients accelerate validation processes. By leveraging the validation work vendors have already performed, device companies can focus their testing efforts on the features of the COTS software they implement that are most critical to their business practices.

One patented solution, the MasterControl Validation Excellence Tool, aka VxT (U.S. Pat. 10,324,830), streamlines the risk evaluation process by providing prepopulated assessments of software feature risks and mitigations, which allows companies to devote more attention to specific usage testing and critical business processes. By combining the VxT risk-evaluation tool with a software life cycle and best-practice testing approach, first time use validation can be reduced from months to approximately 20 hours.

The Future of COTS Software Is Self-Validating

As the burden of validation continues to transfer from device manufacturers to software as a service (SaaS) providers, there will be fewer expectations on users to perform testing on their software configurations because automated testing will be incorporated into the software products, according to Wright.

“When software vendors build testing into every feature, the minute users complete their configuration an automated test is ready to be executed just for them,” Wright said. “From the users’ perspective, this will require no additional effort or testing.” (4)

That would mean validation testing could be re-executed instantaneously any time a new software feature was released. This is a crucial requirement as life sciences software industry moves to continuous integration/continuous delivery (CI/CD) methodologies currently used in unregulated software. In the not-too-distant future, validation work and documentation templates will be completed by the software developer beforehand, so formal validation will virtually handle itself.

To learn more about modern validation tools and the future of validation, watch Wright’s “Going Beyond CSV to Self-Validating Software” presentation.


  1. Removing Barriers To Technology Adoption: The case for the Computer Software Assurance (CSA) Guidance Document,” FDA CSV Team, Nov. 5, 2019.
  2. CDRH Proposed Guidances for Fiscal Year 2022,” FDA website, content current as of Oct. 26, 2021.
  3. Going Beyond CSV to Self-Validating Software,” MasterControl, Sept. 13, 2021.
  4. The Next Generation of Software Is Self-Validating,” by Erin Wright, Industry Today, Feb. 24, 2021.


James Jardine is a marketing content writer at MasterControl, Inc., a leading provider of cloud-based quality and compliance software solutions. He has covered life sciences, technology and regulatory matters for MasterControl and various industry publications since 2007. He has a bachelor’s degree in communications with an emphasis in journalism from the University of Utah. Prior to joining MasterControl, James held several senior communications, operations and development positions. Working for more than a decade in the non-profit sector, he served as the Utah/Idaho director of communications for the American Cancer Society and as the Utah Food Bank’s grants and contracts manager.

Free Resource
Do I Need to Validate? How to Make an Informed Decision in 4 Steps

Enjoying this blog? Learn More.

Do I Need to Validate? How to Make an Informed Decision in 4 Steps

Download Now
[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]