Medical Device software continues to evolve and change as do FDA regulations. When it comes to the content of the software documentation requirements for a pre-market submission (510k), the FDA’s last issued guidance back in 2005. However, on June 14 2023, FDA released a new and revised final guidance document which substantially alters software requirements for 510k submissions by changing terms as well as increasing the scope of the software documentation requirements. Medical device and IVD regulatory professionals need to become fully aware of these changes as they may become effective at any time in the near future and will affect all future premarket submissions containing software.
The risk level of software or “Levels of Concern” is the first and most obvious change in the new 2023 guidance, since in the 2005 guidance, FDA identifies three levels of concern: Major, Moderate, or Minor, which are wells understood and defined as:
Major: If a failure or latent flaw in the medical device could result directly in death or serious injury to the patient or operator. Additionally, the concern is Major if a failure or latent flaw could indirectlyresult in death or serious injury of the patient or operator through incorrect or delayed information or through the action of a care provider.
Moderate: If a failure or latent design flaw could directly result in minor injury to the patient or operator. The level of concern is also Moderate if a failure or latent flaw could indirectlyresult in minor injury of the patient or operator through incorrect or delayed information or through the action of a care provider.
Minor: If failures or latent design flaws are unlikely to cause any injury to the patient or operator.
However, in the 2023 guidance, FDA reduced the software risk to only two levels of concern to Basic and Enhanced.
Enhanced: This level of concern is for combination products, any class 3 device, any device that is used to test blood, determine donor and recipient compatibility or is blood establishment computer software, as well as the definition of Major level of concern from the 2005 guidance, including anything that could directly or indirectly cause death or a serious injury if there was a failure or latent design flaw
Basic: This level of concern is for anything else that does not fall into the Enhanced category.
However, it is critical to note the level of documentation in the new Basic is much higher than it was in the Minor level of concern.
In any pre-market submission, the Sponsor had to provide the FDA with certain levels of specific documentation depending on the level of concern.
The table below, ACI compared the software documentation required in 2005 based and the specified level of concern and the new 2023 guidance based on either Basic or Enhanced level of concern. New requirements in the 2023 guidance are bolded and italicized.
- Software Description
The first section for Software in a premarket submission is the software’s description, the 2005 version requested the summary of features and the operating environment (think OS, hardware, etc.) but now in the draft guidance will require that as well as a series of analyses, and the inputs and outputs of the software.
2. Risk Management
The second section of the premarket submission is Risk management, which is expanding and moving from a simple tabular description in the 2005 version to a full risk management plan, risk assessment, mitigation and a risk management report aligned with ISO 14971 in the 2023 version. This is seen across other updates the FDA and other organizations like IEC and ISO are making such as to electrical safety testing requirements which also require the completion of a risk management plan and a full report, essentially ensuring and mandating that more risk management processes are conducted for all devices.
3. Software Requirements Specification (SRS)
The Software Requirements Specification (SRS) is the next section, one of the more important sections of the documentation required as it guides the verification and validation activities and establishes what the software is expected to do. In the 2005 guidance, it had two different tiers, basic required only a brief summary, with moderate and major requiring much more details. This includes a detailed description of software needs/expectation, traceability to other software documentation elements including the risk management file, software design specification, system and software architecture design and software testing. In the 2023 guidance the minor requirement is no longer an option, and the complete package is now required regardless.
4. Architectural Design Chart
After the SRS, an architectural design chart was the next section, which was not required for Minor level of concern and is now mandatory. An architectural design chart is a detailed description of modules, layers and interfaces of the software, detailed the relationships with lines and arrows as needed. The chart should show the flow of data, the inputs and outputs, as well as how users or external products interact with the Software.
5. Software Design Specification (SDS)
The Software Design Specification (SDS) provides insight and describes the implementation of the firmware requirements as defined in the SRS. It normally includes design considerations, intent and development procedures so that it can be understood how the software was developed. It is not required in the 2005 Minor level and the 2023 basic level but must be included for all other Levels of Concern.
6&7. Traceability Matrix/Revision Level History
The requirements for a traceability matrix with revision level history of the software through all its updates is unchanged. Except for the revision history must describe the summarized changes in each version based on the 2023 guidance.
8. Verification and Validation Documentation
The verification and validation of the software is the result and output of all the other prior documents and is the critical component of the software section of the premarket submission.
In the 2005 guidance, each level of concern had its own set of requirements, starting with Minor which only required the submitter to include a brief summary of unit integration and system level testing. The Moderate level of concern required a brief summary of unit integration and system level testing but also requires the full protocols and reports for system level testing. The Major level of concern required all protocols and reports for each unit of the software, the integration of each unit and the overall system level testing performed.
In the 2023 guidance the Basic level is the same as the Moderate level of concern and Enhanced is the same as Major level of concern.
9. Unresolved Anomalies (Bugs or Defects)
Another section of the submission that has seen some significant updates is the unresolved anomalies (Bugs or Defects) section. In the 2005 guidance at a Basic level of concern there was no requirement to detail any bugs or defects, with Moderate and Major levels of concern requiring a list with explanations on safety and/or effectiveness. In the 2023 updated guidance this requirement is asked at both concern levels, as well as requesting the submitter detail the work arounds to these bugs and the planned timeframe for correction of said bugs or defects, essentially asking for the full development plan to fix and repair any issues with the software.
10. Software Development and Maintenance
The final software section that needs to be detailed in a pre-market submission is software development and maintenance plans. In the 2005 guidance, the Minor level of concern was the only level of concern where it was not required. The Moderate level of concern requested a summary of the software life cycle development plan, including a summary of the configuration management and maintenance activities. At a Major level of concern, the software life cycle development plan required the full list of control documents created during the development process.
With the updated 2023 guidance, the submitter now has the option of including a declaration of conformity to IEC 62304 “medical device software – software life cycle processes” or for the new Basic level of documentation following the prior Moderate level of documentation, and for the Enhanced level detailing the full software life cycle development plan and full list of documents, aligning to the Major level of concern.
This post has been a brief overview of the requirements and a high-level look at the proper regulatory framing of software development and the proper level of documentation required for a premarket submission to the FDA, Accurate Consultants is here to help with any medical device software needs and is happy to help guide your firm from start to finish. If you are interested, please send us an email at info@accuratefdaconsulting.com for a rapid response and quote for the required services.
Sources
- Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. Issued on May 11, 2005. Food and Drug Administration.
- Guidance for the Content of Premarket Submissions for Device Software Functions. Issued on June 14, 2023. Food and Drug Administration.