Contact Us
  • FDA's Additional Information (AI) Requests

Example #18: Off-The-Shelf Software

A promotional banner for a tech device series event by The Device Show Experience and C2.
By Robert Rajewski, President, CriTech Research, Inc.
Here’s this week’s example of an Additional Information Request (AI Request):

FDA Additional Information Request – Example #18: Off-The-Shelf Software

In your software description, you provided information about the OTS software used by the display, but did not provide information about the OTS software used by the other software components in your system.

As recommended in Section III.A of the FDA guidance document “Off-The-Shelf Software Use in Medical Devices”, please provide a description of all OTS software used in your system, to include:

  • the title and manufacturer; version level, release date, patch number and upgrade designation
  • a description of any OTS documentation that will be provided to the end user, a description of why this OTS software is appropriate for this medical device; a description of what the expected design limitations of the OTS software are
  • a description of what the computer system specifications for the OTS software are
  • a description of what the OTS software does and how you know it works

Please ensure your OTS software is included in your management file and is included in your software verification and validation testing.

Finally, please provide documentation to assure FDA that the product development methodologies used by the OTS software developer are appropriate and sufficient for the intended use of your device and demonstrate that you have appropriate mechanisms in place to assure the continued performance, maintenance, and support of the OTS software.

A clear and accurate description of the OTS software used in your device is important to determine the testing needed to mitigate relevant software-related risks. An assessment of the 3rd party developer’s development, qualification and maintenance documentation for the OTS software used in your device is important to demonstrate that you have sufficient purchasing controls in place as described in 21 CFR Part 820.50 (Purchasing Controls). Purchasing controls provide confidence that the OTS software in your device conforms to your specified requirements and inform the testing needed to mitigate any OTS software risks.

Adequate testing and risk mitigation are important because software with unmitigated risks could result in adverse health effects – such as patient injury or death.

In this example, the FDA’s Additional Information Request focuses on the need to control off-the-shelf (OTS) software.  With the exception of the OTS software used in the main display of the device, the medical device company failed to provide information on any other OTS software used in the device.

For each OTS software used in the device, the FDA is requesting the following information:

  • the title and manufacturer, version level, release date, patch number and upgrade designation
  • a description of OTS documentation that will be provided to the end user
  • a description of why the OTS software is appropriate for the medical device
  • a description of the expected design limitations of the OTS software
  • a description of the computer system specifications for the OTS software
  • a description of what the OTS software does and how the medical device company knows it works as intended

Any OTS software used in the device must be included in the risk management file as well as in software verification and validation testing.

Auditing the product development methodologies used by the OTS software developer provides assurance these practices are appropriate and sufficient for the intended use of the device.  It also demonstrates appropriate mechanisms are in place to ensure the continued performance, maintenance, and support of the OTS software.

A Software Bill of Materials (SBOM), showing all of the OTS software used in the device, is a key technology to show the FDA a level of maturity and competence in handling issues surrounding OTS.

An assessment of the 3rd party developer’s development, qualification, and maintenance documentation for the OTS software used in the device needs to be accomplished.  As part of purchasing controls, these assessments provide confidence that the OTS software used in your device conforms to your specified requirements.  These requirements also guide the verification testing needed to ensure any required OTS software risk mitigations are properly implemented.

Finally, the FDA is concerned the lack of adequate testing and risk mitigation could result in adverse health effects for patients.

Should you happen to receive an FDA AIR related to software as part of your submission, CriTech is here to help. Contact us any time.

Contact Us
Linkedin

Follow us on LinkedIn to find out when the next example of our FDA AIRs series is released.

View All Media