Document issued on: May 11, 2005
This document supersedes Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, issued May 29, 1998, and Reviewer Guidance for a Premarket Notification Submission for Blood Establishment Computer Software, issued January 13, 1997.
For questions regarding this document concerning devices regulated by CDRH contact Linda Ricci at (301) 796-6325. For questions regarding this document concerning devices regulated by CBER contact Linda Weir at (301) 827-6136.
U.S. Department of Health and Human Services
Food and Drug Administration
Center for Devices and Radiological Health
Office of Device Evaluation
Office of InVitro Diagnostics
Center for Biologics Evaluation and Research
Office of Blood Research and Review
Contains Nonbinding Recommendations
Comments and suggestions may be submitted at any time for Agency consideration to the Division of Dockets Management, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD, 20852. When submitting comments, please refer to the exact title of this guidance document. Comments may not be acted upon by the Agency until the document is next revised or updated.
Additional copies are available from the Internet. You may also send an e-mail request to CDRH-Guidance@fda.hhs.gov to receive an electronic copy of the guidance or send a fax request to 301-827-8149 to receive a hard copy. Please use the document number (337) to identify the guidance you are requesting.
Additional copies of this guidance are available from the CBER Internet, or from the Office of Communication, Training and Manufacturers Assistance (HFM-40), 1401 Rockville Pike, Rockville, MD 20852-1448 or by calling 1-800-835-4709 or 301-827-1800.
Table of Contents
- The Least Burdensome Approach
- Relationship to Other Documents
- Level of Concern
- Determining Level of Concern
- Software-related Documentation
- The Special 510(k) Program
- The Abbreviated 510(k) Program
- Additional Topics
Guidance for Industry and FDA Staff
Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices
This guidance represents the Food and Drug Administration's (FDA's) current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind FDA or the public. You can use an alternative approach if the approach satisfies the requirements of the applicable statutes and regulations. If you want to discuss an alternative approach, contact the FDA staff responsible for implementing this guidance. If you cannot identify the appropriate FDA staff, call the appropriate number listed on the title page of this guidance.
This guidance document is intended to provide information to industry regarding the documentation that we recommend you include in premarket submissions for software devices, including stand-alone software applications and hardware-based devices that incorporate software. This document is a result of ongoing efforts to state our recommendations more clearly and ensure they remain current as technology advances. This document also combines into one guidance recommendations previously included in two guidance documents.i
The Least Burdensome Approach
The issues identified in this guidance document represent those that we believe should be addressed before your device can be marketed. In developing the guidance, we carefully considered the relevant statutory criteria for Agency decision-making. We also considered the burden that may be incurred in your attempt to follow the guidance and address the issues we have identified. We believe that we have considered the least burdensome approach to resolving the issues presented in the guidance document. If, however, you believe that there is a less burdensome way to address the issues, you should follow the procedures outlined in the guidance, A Suggested Approach to Resolving Least Burdensome Issues.
FDA's guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidances describe the Agency's current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.
For the purposes of this document, we refer to devices that contain one or more software components, parts, or accessories, or are composed solely of software as “software devices,” including:
- firmware and other means for software-based control of medical devices
- stand-alone software applications
- software intended for installation in general-purpose computers
- dedicated hardware/software medical devices.
- accessories to medical devices when those accessories contain or are composed of software.
This guidance applies to software devices regardless of the means by which the software is delivered to the end user, whether factory-installed, installed by a third-party vendor, or field-installed or -upgraded.
Software not covered by this guidance includes software designed for manufacturing or other process-control functions but not intended for use as a device. For further information or to clarify the requirements for your device, please contact the responsible FDA review division.
This guidance document applies to all types of premarket submissions for software devices, including:
- Premarket Notification (510(k)) including Traditional, Special, and Abbreviated submissions
- Premarket Approval Application (PMA)
- Investigational Device Exemption (IDE)
- Humanitarian Device Exemption (HDE), including amendments and supplements.
Relationship to Other Documents
FDA Guidance Documents
We intend this document to complement other existing guidance documents that provide recommendations related to software. For example, we recommend that you also refer to the guidance “General Principles of Software Validation”ii for recommendations on software related to a device (including software that is a stand-alone device or that is a component, part, or accessory of a device). We recommend that you refer to the “Guidance for Off-the-Shelf Software Use in Medical Devices”iii in cases where your device uses off-the-shelf software.
Manufacturers of Software Devices should create and maintain software-related documentation in accordance with the requirements of the Quality System Regulationiv (QS regulation) (21 CFR part 820). As with other FDA guidance documents that provide recommendations, please note that following the recommendations of this guidance is not a substitute for compliance with the QS regulation.
Software-Related Consensus Standards
The emergence of consensus standards related to software has helped to improve the consistency and quality of software development and documentation, particularly with respect to critical activities such as risk assessment and management. When possible, we harmonized the terminology and recommendations in this guidance with software-related consensus standards such as ISO 14971v AAMI SW68.vi
Verification and Validation
This document uses the terms "verification" and "validation" (also referred to as “V&V”) as they are defined in the QS regulation.iv
Verification “means confirmation by examination and provision of objective evidence that specified requirements have been fulfilled.” 21 CFR 820.3(aa). In a software development environment, software verification is confirmation that the output of a particular phase of development meets all of the input requirements for that phase. Software testing is one of several verification activities intended to confirm that the software development output meets its input requirements. Other verification activities include:
- various static and dynamic analyses
- code and document inspections
- module level testing
- integration testing.
Design validation “means establishing by objective evidence that device specifications conform with user needs and intended use(s).” 21 CFR 820.3(z)(2). Use of the term validation in this document is limited to design validation and does not include process validation as defined in 21 CFR 820.3(z)(1).
One component of design validation is software validation. Software validation refers to establishing, by objective evidence, that the software conforms with the user needs and intended uses of the device. Software validation is a part of design validation of the finished device. It involves checking for proper operation of the software in its actual or simulated use environment, including integration into the final device where appropriate. Software validation is highly dependent upon comprehensive software testing and other verification tasks previously completed at each stage of the software development life cycle. Planning, verification, traceability, configuration management, and many other aspects of good software engineering are important activities that together help to support a conclusion that software is validated.
Minor and Serious Injuries
For the purposes of this document, we use the term minor injury to mean any injury that does not meet the definition of a serious injury as defined in 21 CFR 803.3(bb)(1). This regulation defines serious injury as an injury or illness that:
- is life threatening;
- results in permanent impairment of a body function or permanent damage to a body structure; or
- necessitates medical or surgical intervention to preclude permanent impairment of a body function or permanent damage to a body structure.
For the purposes of this document, the term permanent is defined as “irreversible impairment or damage to a body structure or function, excluding trivial impairment or damage.” 21 CFR 803.3(bb)(2).
Level of Concern
The documentation that we recommend you include in a premarket submission generally depends on the device’s Level of Concern. For the purposes of this guidance document, Level of Concern refers to an estimate of the severity of injury that a device could permit or inflict, either directly or indirectly, on a patient or operator as a result of device failures, design flaws, or simply by virtue of employing the device for its intended use. We recommend that you describe the role of the software in causing, controlling, and/or mitigating hazards that could result in injury to the patient or the operator, because this is also a factor in determining the appropriate Level of Concern for your device.
The extent of documentation that we recommend you submit for your Software Device is proportional to the Level of Concern associated with the device. Level of Concern is defined only for use in this context and is not related to device classification (Class I, II or III) or to hazard or risk analysis per se.
Major, Moderate, or Minor Level of Concern
The following sections provide recommendations for determining the Level of Concern that may be appropriate for your Software Device and recommendations for documentation that you should submit for each Level of Concern. We recommend that you determine the Level of Concern before any mitigation of relevant hazards. In other words, the Level of Concern should be driven by the hazard analysis in the absence of mitigations, regardless of the effects of the mitigations on the individual hazards.
FDA recommends that you state in your submission the Level of Concern you have determined for your Software Device. It may be Major, Moderate or Minor as defined below. We also recommend that you describe how you arrived at that Level of Concern. The Level of Concern is based on how the operation of the software associated with device function affects the patient or operator. The effect may be direct or indirect.
We believe the level of concern is Major if a failure or latent flaw could directly result in death or serious injury to the patient or operator. The level of concern is also Major if a failure or latent flaw could indirectly result in death or serious injury of the patient or operator through incorrect or delayed information or through the action of a care provider.
We believe the level of concern is Moderate if a failure or latent design flaw could directly result in minor injury to the patient or operator. The level of concern is also Moderate if a failure or latent flaw could indirectly result in minor injury to the patient or operator through incorrect or delayed information or through the action of a care provider.
We believe the level of concern is Minor if failures or latent design flaws are unlikely to cause any injury to the patient or operator.
Determining Level of Concern
We have provided the following key questions to assist you in determining the Level of Concern. We recommend that you assess the Level of Concern before mitigating any hazard; that is, you should assess your software device against these questions as though you have not implemented hazard mitigations.
If the answer to any question is No, continue on to the next question. As discussed in more detail later, we recommend that you include the basis for your conclusion as to the Level of Concern in your submission. In all cases, we recommend that you assess the Level of Concern within the context of the worst possible, reasonably foreseeable, clinical consequences of failure of the Software Device.
Table 1 Major Level of Concern
If the answer to any one question below is Yes, the Level of Concern for the Software Device is likely to be Major.
Does the Software Device qualify as Blood Establishment Computer Software?
- Is the Software Device intended to be used in combination with a drug or biologic?
- Is the Software Device an accessory to a medical device that has a Major Level of Concern?
- Prior to mitigation of hazards, could a failure of the Software Device result in death or serious injury, either to a patient or to a user of the device? Examples of this include the following:
- Does the Software Device control a life supporting or life sustaining function?
- Does the Software Device control the delivery of potentially harmful energy that could result in death or serious injury, such as radiation treatment systems, defibrillators, and ablation generators?
- Does the Software Device control the delivery of treatment or therapy such that an error or malfunction could result in death or serious injury?
- Does the Software Device provide diagnostic information that directly drives a decision regarding treatment or therapy, such that if misapplied it could result in serious injury or death?
- Does the Software Device provide vital signs monitoring and alarms for potentially life threatening situations in which medical intervention is necessary?
Table 2 Moderate Level of Concern
If the Software Device is not Major Level of Concern and the answer to any one question below is Yes, the Level of Concern is likely to be Moderate.
- Is the Software Device an accessory to a medical device that has a Moderate Level of Concern?
- Prior to mitigation of hazards, could a failure of the Software Device result in Minor Injury, either to a patient or to a user of the device?
- Could a malfunction of, or a latent design flaw in, the Software Device lead to an erroneous diagnosis or a delay in delivery of appropriate medical care that would likely lead to Minor Injury?
If the answers to all of the questions in Tables 1 and 2 above are No, the Level of Concern is Minor.
The review divisions at FDA are available to discuss any questions you may have about the Level of Concern for your Software Device. If you believe the Level of Concern for your device is Major and you have not previously filed a premarket submission for this type of Software Device, we recommend that you contact the appropriate division at FDA to discuss your Software Device before filing your submission.
Software-related documentation that you provide in your premarket submission should be consistent with the intended use of the Software Device, the Level of Concern, and the type of submission. This section describes the documentation that we recommend you include in your premarket submission based on the Level of Concern (see Table 3). However, you should follow the recommendations in device-specific guidance, if available for your device. In general, the documentation provided in your submission should:
- describe the design of your device
- document how your design was implemented
- demonstrate how the device produced by your design implementation was tested
- show that you identified hazards appropriately and managed risks effectively
- provide traceability to link together design, implementation, testing, and risk management.
The type and extent of documentation that we recommend you submit is summarized in Table 3. Our recommendations are keyed to the Level of Concern of your device. These recommendations are predicated on your effective implementation and management of the QSR, including Design Controls. iv
We believe the documents that we recommend submitting will generally be the same documents that you would normally generate during the development of a Software Device. Therefore, in a properly managed and documented medical device software development environment, the documents that you submit in response to the recommendations in this guidance may be copies of your product development documents.
We explain the documents that we recommend submitting in the sections following Table 3. In some instances, the recommended documentation for the Level of Concern may take the form of statements in the body of the submission; other documents, such as the Software Requirements Specification, will likely be stand-alone documents copied into the submission.
Table 3. Documentation Based on Level of Concern
|SOFTWARE DOCUMENTATION||MINOR CONCERN||MODERATE CONCERN||MAJOR CONCERN|
|Level of Concern||A statement indicating the Level of Concern and a description of the rationale for that level.|
|Software Description||A summary overview of the features and software operating environment.|
|Device Hazard Analysis||Tabular description of identified hardware and software hazards, including severity assessment and mitigations.|
|Software Requirements Specification (SRS)||Summary of functional requirements from SRS.||The complete SRS document.|
|Architecture Design Chart||No documentation is necessary in the submission.||Detailed depiction of functional units and software modules. May include state diagrams as well as flow charts.|
|Software Design Specification (SDS)||No documentation is necessary in the submission.||Software design specification document.|
|Traceability Analysis||Traceability among requirements, specifications, identified hazards and mitigations, and Verification and Validation testing.|
|Software Development Environment Description||No documentation is necessary in the submission.||Summary of software life cycle development plan, including a summary of the configuration management and maintenance activities.||Summary of software life cycle development plan. Annotated list of control documents generated during development process. Include the configuration management and maintenance plan documents.|
|Verification and Validation Documentation||Software functional test plan, pass / fail criteria, and results.||Description of V&V activities at the unit, integration, and system level. System level test protocol, including pass/fail criteria, and tests results.||Description of V&V activities at the unit, integration, and system level. Unit, integration and system level test protocols, including pass/fail criteria, test report, summary, and tests results.|
|Revision Level History||Revision history log, including release version number and date.|
|Unresolved Anomalies (Bugs or Defects)||No documentation is necessary in the submission.||List of remaining software anomalies, annotated with an explanation of the impact on safety or effectiveness, including operator usage and human factors.|
Level of Concern
We recommend that you indicate the Level of Concern for your Software Device, determined before the effects of any mitigations. We recommend that you clearly state which one of the three levels of concern is appropriate for your device and include documentation of the rationale for your decision. We also recommend that your documentation make your decision-making process apparent to FDA.
We recommend that you provide a comprehensive overview of the device features that are controlled by software, and describe the intended operational environment. Generally, we recommend that you provide the information in paragraph format and highlight major or operationally significant software features. The software description should include information on the following:
- programming language
- hardware platform
- operating system (if applicable)
- use of Off-the-Shelf software (if applicable).
If your device uses Off-the Shelf software, please refer to the FDA guidance document “Guidance for Off-the-Shelf Software Use in Medical Devices.” iii
If this information is included in another document, such as the Software Requirements Specification, your submission should contain an annotation and a reference to the document in the submission where this information is located.
Device Hazard Analysis
We recommend that you submit a Device Hazard Analysis for all Software Devices. The Device Hazard Analysis should take into account all device hazards associated with the device’s intended use, including both hardware and software hazards. We recommend that you present the information in tabular form with a line item for each identified hazard. This document can be in the form of an extract of the software-related items from a comprehensive risk management document, such as the Risk Management Summary described in ISO 14971.v In this format, each line item should include:
- identification of the hazardous event
- severity of the hazard
- cause(s) of the hazard
- method of control (e.g., alarm, hardware design)
- corrective measures taken, including an explanation of the aspects of the device design/requirements, that eliminate, reduce, or warn of a hazardous event; and
- verification that the method of control was implemented correctly.
When performing a hazard analysis, we recommend that you address all foreseeable hazards, including those resulting from intentional or inadvertent misuse of the device.
Software Requirements Specification
The Software Requirements Specification (SRS) documents the requirements for the software. This typically includes functional, performance, interface, design, developmental, and other requirements for the software. In effect, this document describes what the Software Device is supposed to do. Examples of some typical requirements that would be included in a SRS are described below. For Software Devices that are identified as Minor Level of Concern, we recommend that you provide only the summary functional requirements section from the SRS, including identification of off-the-shelf software. For Software Devices that are identified as Major or Moderate Level of Concern, we recommend that you provide the complete SRS document.
Hardware requirements generally include:
- memory devices
- energy sources
- safety features
Programming Language Requirements
Programming language requirements include program size requirements or restrictions, and information on management of memory leaks.
Interface requirements generally include both communication between system components and communication with the user such as:
Software Performance and Functional Requirements
Software performance and functional requirements include algorithms or control characteristics for therapy, diagnosis, monitoring, alarms, analysis, and interpretation with full text references or supporting clinical data, if necessary. Software performance and functional requirements may also include:
- device limitations due to software
- internal software tests and checks
- error and interrupt handling
- fault detection, tolerance, and recovery characteristics
- safety requirements
- timing and memory requirements
- identification of off-the-shelf software, if appropriate.
Architecture Design Chart
This document is typically a flowchart or similar depiction of the relationships among the major functional units in the Software Device, including relationships to hardware and to data flows such as networking. It is usually not necessary to include every function call and module in this document; however, there should be sufficient information to allow for review of the organization of the software relative to the functionality and to the intended use of the Software Device. For Moderate and Major Level of Concern devices, detailed information such as state diagrams may be useful to clearly depict the relationships among the software functional units. If the Architecture Design Chart is included in another document such as the SRS then you should include in your submission a statement to that effect and a reference to the location of the Architecture Design Chart in the submission.
Software Design Specification
The Software Design Specification (SDS) describes the implementation of the requirements for the Software Device. In terms of the relationship between the SRS and the SDS, the SRS describes what the Software Device will do and the SDS describes how the requirements in the SRS are implemented. The information presented in the SDS should be sufficient to ensure that the work performed by the software engineers who created the Software Device was clear and unambiguous, with minimal ad hoc design decisions. The SDS may contain references to other documents, such as detailed software specifications. However, the document you submit should, in and of itself, provide adequate information to allow for review of the implementation plan for the software requirements in terms of intended use, functionality, safety, and effectiveness.
A Traceability Analysis links together your product design requirements, design specifications, and testing requirements. It also provides a means of tying together identified hazards with the implementation and testing of the mitigations. We recommend that you submit for review explicit traceability among these activities and associated documentation because they are essential to effective product development and to our understanding of product design, development and testing, and hazard mitigations. The Traceability Analysis commonly consists of a matrix with line items for requirements, specifications and tests, and pointers to hazard mitigations. It is possible to document traceability simply through a shared organizational structure with a common numbering scheme; however, we recommend that you include some mechanism, such as a matrix for guiding the reviewer through the information you submit.
Software Development Environment Description
For Moderate and Major Level of Concern Software Devices, the submission should include a summary of the software development life cycle plan. This summary should describe the sponsor’s software development life cycle and the processes that are in place to manage the various life cycle activities. For Major Level of Concern Software Devices, this document should also include an annotated list of the control/baseline documents generated during the software development process and a list or description of software coding standards.
As mentioned elsewhere, configuration or change management is a crucial aspect of software development. Changes to the Software Device after initial market release should be subject to positive control, with definitive specification and test plans including well-defined regression testing where appropriate. The description of the development environment should provide information on your configuration management and maintenance plan that addresses these aspects of the software development life cycle. For a Major Level of Concern device, we recommend that you provide sufficient detail to allow for a thorough understanding of the configuration management and maintenance plan. For a Moderate Level of Concern device, we recommend that you provide only a summary of the configuration management and maintenance plans.
Verification and Validation Documentation
The terms “verification” and “validation” described earlier in this document refer to two phases of Software Device testing. This section recommends the type of testing documentation you should include in a premarket submission for a Software Device, based on the Level of Concern.
Minor Level of Concern Devices
For Minor Level of Concern devices, we recommend that you submit documentation of system or device level testing, and, where appropriate, integration testing. The documentation submitted should include system or device level test pass/fail criteria and a summary of the test results.
Moderate Level of Concern Devices
For Moderate Level of Concern devices, we recommend that you submit a summary list of validation and verification activities and the results of these activities. We also recommend that you submit your pass/fail criteria. You should ensure that the Traceability Analysis effectively links these activities and results to your design requirements and specifications.
Major Level of Concern Devices
For Major Level of Concern devices, we recommend that you submit the information recommended above for Moderate Level of Concern devices and a description of any tests that were not passed. We also recommend that you include any modifications made in response to failed tests and documentation of results demonstrating that the modifications were effective. Documentation provided in your submission should include examples of unit integration testing and a summary of the results.
Revision Level History
Your submission should include the history of software revisions generated during the course of product development. This typically takes the form of a line-item tabulation of the major changes to the software during the development cycle, including date, version number, and a brief description of the changes in the version relative to the previous version. The last entry in the list should be the final version to be incorporated in the released device. This entry should also include any differences between the tested version of software and the released version, along with an assessment of the potential effect of the differences on the safety and effectiveness of the device.
Unresolved Anomalies (Bugs or Defects)
For Moderate and Major Level of Concern Software Devices, the submission should include a list of all unresolved software anomalies. For each anomaly, we recommend that you indicate the:
- impact on device performance
- any plans or timeframes for correcting the problem (where appropriate).
We recommend that you annotate each item with an explanation of the impact of the anomaly on device safety or effectiveness, including operator usage and human factors issues. Typically, this list can be generated as an output of a change control board or similar mechanism for evaluation and disposition of unresolved software anomalies. We recommend that you communicate this list to the end user as appropriate to assist in the proper operation of the device. In all instances where it is practical to do so, you should include any mitigations or possible work-arounds for unresolved anomalies; this recommendation applies to Blood Establishment Computer Software in particular.
The Special 510(k) Program
For a premarket submission to qualify for review under the Special 510(k) Program, the device should be a modification of your 510(k) cleared device that you own, where the modification does not alter the intended use or the fundamental scientific technology of the devicevii . In a Special 510(k), you should follow the recommendations in this guidance on the documentation to submit, but submit only the documentation related to the modification that prompted the submission. For example, when submitting the documentation of requirements and specifications in a Special 510(k), the documentation should focus on the modifications and may not necessarily include all of the requirements and specifications of the entire device.
We recommend that you submit the regression testing performed to verify and validate the modifications. We recommend that you submit your test plans, pass/fail criteria, and summary results rather than test data. In all cases, the type of software-related documentation and the level of detail you provide should be appropriate to the Level of Concern associated with your device in the context of the modifications. Since a Special 510(k) submission relies on your declaration of conformance to design controls, we believe you cannot properly submit a Special 510(k) until you have completed testing or other activities relied on by your declaration (see section 514(c)(1)(B) of the Federal Food, Drug, and Cosmetic Act (Act) (21 U.S.C. 360d(c)(1)(B)).
The Abbreviated 510(k) Program
An Abbreviated 510(k) submission must include the required elements identified in 21 CFR 807.87. In an Abbreviated 510(k), FDA may consider the contents of the documentation recommended in this guidance to be appropriate supporting data within the meaning of 21 CFR 807.87(f) or (g). Therefore, we recommend that you submit the documentation described in this guidance.viii
If you choose to rely on an FDA-recognized standard for any part of the device design or testing, you may include either a:
- statement that testing will be conducted and meet specified acceptance criteria before the product is marketed; or
- declaration of conformity to the standard.ix
Because a declaration of conformity is based on results from testing, we believe you cannot properly submit a declaration of conformity until you have completed the testing the standard describes. For more information, please refer to section 514(c)(1)(B) of the Act and the FDA guidance, “Use of Standards in Substantial Equivalence Determinations.”x
If you declare conformance to a standard that recommends specific tests or testing methods for your Software Device, we recommend that you submit documentation of pass/fail criteria and associated test results along with your declaration of conformance. We also recommend that you list deviations from the tests and test methods specified in the standard and explain these deviations in terms of the impact on the safety and effectiveness of the Software Device. A list of FDA recognized consensus standards is available on the CDRH web site.xi
Risk Assessment and Management
Inadequate or inappropriate software development life cycle and risk management activities, inappropriate use of a Software Device, or operational errors can result in a variety of potential failures or design flaws. Among these are unsafe or ineffective delivery of energy, drugs, and life-supporting or life-sustaining functions. The delivery of incorrect or incomplete information causing a misdiagnosis or selection of the wrong treatment or therapy is also a potential failure associated with certain Software Devices. Therefore, the risks associated with potential failures or design flaws are a concern during the review of Software Devices.
Risk Assessment and Level of Concern
As mentioned earlier, your assessment of the risks associated with your Software Device should assist you in determining an appropriate Level of Concern. We also recommend that you consider the Level of Concern for other devices of the same generic type or intended use. If you believe a different Level of Concern is appropriate for your device, we recommend that you submit a detailed explanation of your rationale.
The risk associated with Software Devices varies over a continuum from negligible to very severe. In general, FDA considers risk as the product of the severity of injury and the probability of its occurrence. However, software failures are systemic in nature and therefore the probability of occurrence cannot be determined using traditional statistical methods. Therefore, we recommend that you base your estimation of risk for your Software Device on the severity of the hazard resulting from failure, assuming that the failure will occur. We also recommend that you use risk identification and control techniques described in consensus standards such as ISO 14971.v
Software Change Management
Design, development, testing, and version control of revisions to the software are as important as development and testing of the software that was reviewed in the premarket submission. We believe the majority of software-related device problems that occur in the field, including software-related device recalls, happen to devices that are running software that has been revised since premarket review. In some instances, revisions that did not require FDA review were implicated in adverse events and recalls.xii We believe this indicates the need for careful control of software revisions.
Blood Establishment Computer Software
In premarket submissions for Blood Establishment Computer Software, you should submit a complete copy of the User’s Manual as it will be provided to the user, including, but not limited to, a description of all limitations. Additionally, you should submit the documentation you will provide to the user to describe all outstanding anomalies or software defects with corresponding workarounds, where applicable, if these issues are not addressed in the User’s Manual.
Software of Unknown Pedigree (SOUP)
Some or all of the software contained in a Software Device may have been obtained by the submitter from a third party. The type and quality of documentation that accompanies this software can vary considerably. Software for which adequate documentation may be difficult to obtain is referred to as Software of Unknown Pedigree or “SOUP.”
It may be difficult for you to obtain, generate, or reconstruct appropriate design documentation as described in this guidance for SOUP. Therefore, we recommend that you explain the origin of the software and the circumstances surrounding the software documentation. Additionally, your Hazard Analysis should encompass the risks associated with the SOUP regarding missing or incomplete documentation or lack of documentation of prior testing. Nonetheless, the responsibility for adequate testing of the device and for providing appropriate documentation of software test plans and results remains with you.
Virus Protection Software
Software applications designed to protect information systems, including Software Devices, from harmful or malicious code (“viruses,” “worms,” etc.) are becoming more commonplace as devices become increasingly interconnected and therefore exposed to the external information environment. Issues related to installation and testing of virus protection software are beyond the scope of this document. You may contact the CDRH Office of Compliance for more information on this topic.
Interfaces, Networking, and Network Infrastructure
As mentioned above, Software Devices are increasingly interconnected, both through point-to-point interfaces for exchange of specific data with specific devices and by connection to local and wide area networks and the Internet. While data exchange and communication infrastructure such as telephone lines, local area networks, and broadband connections are not regulated as medical devices, connection to these carriers affects the operation of Software Devices, sometimes adversely. An example is a Software Device that is connected to a local area network and ceases to operate properly when a problem occurs with the network interface. We recommend that your software design should take into account both the capabilities and liabilities of the interfaces provided with your device, and in particular that your hazard analysis and mitigations encompass these issues.
Generally, the recommendations of this guidance will apply to the device component of combination products (such as drug-device and biologics-device combinations) when the device component meets the definition of a Software Device. For more information, you may contact the Office of Combination Products or the FDA review division that will have the lead review for your combination product.
iThis document combines the recommendations in “ Guidance for FDA Reviewers and Industry: Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” issued on May 29, 1998 , and “Reviewer Guidance for a Premarket Notification Submission for Blood Establishment Computer Software” issued on January 13, 1997 .
iv 21 CFR 820.30 Subpart C – Design Controls of the Quality System Regulation.
v ISO 14971-1; Medical devices - Risk management - Part 1: Application of risk analysis.
vi AAMI SW68:2001; Medical device software - Software life cycle processes.
vii See “The New 510(k) Paradigm – Alternate Approaches to Demonstrating Substantial Equivalence in Premarket Notifications – Final Guidance,” available on the FDA Web site.
viii For more information see Device Advice, “How to Prepare an Abbreviated 510(k),” in particular the section titled “Information Required in an Abbreviated 510(k).”
xii For information on determining when revisions to software should result in a new premarket submission, you should consult the relevant FDA guidances such as “Deciding When to Submit a 510(k) for a Change to an Existing Device”. See also 21 CFR 807.81(a)(3).