Contains Nonbinding Recommendations
Draft – Not for Implementation
9
such as the vendor assessment and software installation and configuration may be sufficient to
establish that the software is fit for its intended use and maintains a validated state. However, if a
manufacturer utilizes built-in functions of the COTS spreadsheet to create custom formulas that
are directly used in production or the quality system, then additional risks may be present. For
example, if a custom formula automatically calculates time and temperature statistics to monitor
the performance and suitability of the curing process, then additional validation by the
manufacturer might be necessary.
For the purposes of this guidance, we describe and recommend a computer software assurance
framework by examining the intended uses of the individual features, functions, or operations of
the software. However, in simple cases where software only has one intended use (e.g., if all of
the features, functions, and operations within the software share the same intended use),
manufacturers may not find it helpful to examine each feature, function, and operation
individually. In such cases, manufacturers may develop a risk-based approach and consider
assurance activities based on the intended use of the software overall.
FDA recommends that manufacturers document their decision-making process for determining
whether a software feature, function, or operation is intended for use as part of production or the
quality system in their Standard Operating Procedures (SOPs).
DeterminingtheRiskBasedApproach
Once a manufacturer has determined that a software feature, function, or operation is intended
for use as part of production or the quality system, FDA recommends using a risk-based analysis
to determine appropriate assurance activities. Broadly, this risk-based approach entails
systematically identifying reasonably foreseeable software failures, determining whether such a
failure poses a high process risk, and systematically selecting and performing assurance activities
commensurate with the medical device or process risk, as applicable.
Note that conducting a risk-based analysis for computer software assurance for production or
quality system software is distinct from performing a risk analysis for a medical device as
described in ISO 14971:2019 – Medical devices – Application of risk management to medical
devices. Unlike the risks contemplated in ISO 14971:2019 for analysis (medical device risks),
failures of the production or the quality system software to perform as intended do not occur in a
probabilistic manner where an assessment for the likelihood of occurrence for a particular risk
could be estimated based on historical data or modeling.
Instead, the risk-based analysis for production or quality system software considers those factors
that may impact or prevent the software from performing as intended, such as proper system
configuration and management, security of the system, data storage, data transfer, or operation
error. Thus, a risk-based analysis for production or quality system software should consider
which failures are reasonably foreseeable (as opposed to likely) and the risks resulting from each
such failure. This guidance discusses both process risks and medical device risks. A process risk
refers to the potential to compromise production or the quality system. A medical device risk
refers to the potential for a device to harm the patient or user. When discussing medical device