Click here to return to the article "Building Quality into Medical Device Software."

FDA’s key expectations for software validation are summarized below. This list contains information from the 2002 software validation guidance as well as from FDA’s Off-The-Shelf Software Use in Medical Devices, Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices, and AAMI TIR32:2004, Medical Device Software Risk Management.

Planning

• Identification of the design inputs that are necessary to produce validated software.
• A plan that tightly defines and controls the entire software development process, as well as its documentation.
• Provision for appropriate and sufficient development and testing environments, resources, and organization.
• Validation extent and effort based on the software’s complexity and safety risk.
• Identifying appropriate activities and tasks for validating the most critical software, with allowance to scale the process for less critical applications, including documented justifications for the omitted activities.
• Establishing procedures that describe how to perform the software validation activities, and the tasks that are to be undertaken to achieve it.
• Including tasks intended to prevent software defects.

Specifications

• Specifications that are accurate, complete, correct, consistent, testable, clear, and state the intended use of the software.
• A risk management process that identifies both direct (functional source) causes of hazards and indirect (technological source) causes of hazards to the intended software behavior, their consequences, and how they will be mitigated. The hazard analyses should address both the intended use and possible misuse of the product.
• Program design that addresses human factors and includes input from the user population.

Testing

• Verification tasks, such as reviews and testing, performed with an element of independence from development resources.
• Validation tasks performed at each stage of the software development life cycle.
• Comprehensive verifications.
• Code-based and specification-based testing methodologies.
• Challenging functional testing.
• Unit testing.
• Integration/interface testing.
• System testing.
• Regression testing for software changes.
• Testing in the intended use environment.
• Test cases that contain predetermined expected results.
• Measures that provide an acceptable level of confidence in the quality of the software prior to shipping.

Coding

• Coding guidelines (e.g., language usage rules, complexity management, and source code understandability requirements) established to control the programming process.
• A source code translation (e.g., compilation) procedure that includes the maximum error checking requirements and acceptance criteria.

Change Control

• Controls that ensure accurate correspondence among the approved versions of software items/elements, e.g., specifications documents, source code, object code, and test suites.
• A defect management procedure that provides for logging, tracking, and resolution of bugs and other anomalies.
• Traceability analysis showing conformance to all software specifications and that software requirements are traceable to the system specifications and risk management results. The analysis should also show that all software specifications have been implemented in the code and that tests are traceable to specifications or code as applicable.
• Software change control that assures code changes do not introduce new defects.
• Anomaly (defect) evaluation as part of the continuous improvement of the software development/validation process.

Documentation

• Accurate and thorough documentation, e.g., plans, procedures, specifications, test protocols, reports.
• Test documentation that permits pass-fail decisions to be made subsequent to test execution.
• Test documentation that can be reused in regression testing.

FDA recognizes that these software validation activities may be dispersed, occurring at different locations and conducted by a variety of organizations.