Premarket Software Functions Guidance
Premarket Software Functions Guidance
For questions about this document regarding CDRH-regulated devices, contact the Digital Health
Center of Excellence at [email protected]. For questions about this document regarding
CBER regulated devices, contact the Office of Communication, Outreach, and Development
(OCOD) at 1-800-835-4709 or 240-402-8010, or by email at [email protected].
When final, this guidance will supersede Guidance for the Content of
Premarket Submissions for Software Contained in Medical Devices, May
2005.
Preface
Additional Copies
CDRH
Additional copies are available from the Internet. You may also send an email request to CDRH-
[email protected] to receive a copy of the guidance. Please include the document number
337 and complete title of the guidance in the request.
CBER
Additional copies are available from the Center for Biologics Evaluation and Research (CBER),
Office of Communication, Outreach, and Development (OCOD), 10903 New Hampshire Ave.,
Bldg. 71, Room 3128, Silver Spring, MD 20993-0002, or by calling 1-800-835-4709 or 240-402-
8010, by email, [email protected] or from the Internet at
https://www.fda.gov/vaccines-blood-biologics/guidance-compliance-regulatory-information-
biologics/biologics-guidances.
Contains Nonbinding Recommendations
Table of Contents
I. Introduction ............................................................................................................................. 1
II. Background ............................................................................................................................. 2
III. Scope ....................................................................................................................................... 4
IV. Definitions............................................................................................................................... 5
V. Documentation Level .............................................................................................................. 7
VI. Recommended Documentation ............................................................................................... 9
Documentation Level Evaluation ................................................................................... 11
Software Description ...................................................................................................... 11
System and Software Architecture Diagram .................................................................. 13
Risk Management File ................................................................................................... 15
Software Requirements Specification (SRS) ................................................................. 18
Software Design Specification (SDS) ............................................................................ 19
(1) Basic Documentation Level........................................................................................ 19
(2) Enhanced Documentation Level ................................................................................. 20
Software Development and Maintenance Practices ....................................................... 20
(1) Basic Documentation Level........................................................................................ 20
(2) Enhanced Documentation Level ................................................................................. 21
Software Testing as part of Verification and Validation................................................ 21
(1) Basic Documentation Level........................................................................................ 21
(2) Enhanced Documentation Level ................................................................................. 22
Revision Level History................................................................................................... 22
Unresolved Anomalies (e.g., Bugs, Defects, or Errors) ................................................. 23
VII. Additional Information ......................................................................................................... 23
Regulatory Considerations for Software Functions ....................................................... 23
Off-The-Shelf (OTS) Software Use in Medical Devices ............................................... 24
Comparison of Guidance to IEC 62304 and ANSI/AAMI/IEC 62304 .......................... 25
Appendix A: Documentation Level Examples ............................................................................. 27
Appendix B: System and Software Architecture Diagram Chart Examples ................................ 31
Contains Nonbinding Recommendations
13 I. Introduction
14 This guidance document is intended to provide information regarding the recommended
15 documentation sponsors should include in premarket submissions for FDA’s evaluation of the
16 safety and effectiveness of device software functions, which are functions that meet the
17 definition of a device under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FD&C
18 Act). 1 The recommendations in this guidance document pertain to device software functions,
19 including software in a medical device (SiMD) and software as a medical device (SaMD). 2
20 When final, this document will replace FDA’s Guidance for the Content of Premarket
21 Submissions for Software Contained in Medical Devices 3 issued on May 11, 2005, and it will
22 update FDA’s thinking related to the documentation FDA recommends sponsors include for the
23 review of device software functions in premarket submissions.
24
25 This guidance identifies the software information generally necessary for evaluating the safety
26 and effectiveness of a device in a premarket submission. The recommendations in this guidance
27 also may help facilitate FDA’s premarket review. This guidance describes information that
1
The term “device” is defined in 201(h) of the Federal Food, Drug, and Cosmetic (FD&C) Act to include an
“instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article,
including any component, part, or accessory, which is ...intended for use in the diagnosis of disease or other
conditions, or in the cure, mitigation, treatment, or prevention of disease, in man ... or intended to affect the structure
or any function of the body of man...” and “does not include software functions excluded pursuant to section 520(o)
of the FD&C Act.”
2
See FDA website on “Software as a Medical Device (SaMD),” available at https://www.fda.gov/medical-
devices/digital-health-center-excellence/software-medical-device-samd.
3
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/guidance-content-
premarket-submissions-software-contained-medical-devices.
1
Contains Nonbinding Recommendations
28 would be typically generated and documented 4 during software development, verification, and
29 design validation. The least burdensome approach was applied to identify the minimum amount
30 of information that, based on our experience, would generally be needed to support a premarket
31 submission for a device that uses software. During premarket review, FDA may request
32 additional information that is needed to evaluate the submission. For example, in order to
33 demonstrate a reasonable assurance of safety and effectiveness for devices that use software,
34 documentation related to the requirements of the Quality System Regulation (QSR) (21 CFR Part
35 820) is often a necessary part of the premarket submission. As part of QSR design controls, a
36 manufacturer must “establish and maintain procedures for validating the devices design,” which
37 “shall include software validation and risk analysis, where appropriate.” (21 CFR 820.30(g)).
38 The documentation recommended in this guidance is based on FDA’s experience evaluating the
39 safety and effectiveness of device software. However, sponsors may use alternative approaches
40 and provide different documentation so long as their approach and documentation satisfies
41 premarket submission requirements in applicable statutory provisions and regulations. For the
42 current edition of the FDA-recognized consensus standard(s) referenced in this document, see
43 the FDA Recognized Consensus Standards Database. 5 For more information regarding use of
44 consensus standards in regulatory submissions, please refer to the FDA guidance titled
45 Appropriate Use of Voluntary Consensus Standards in Premarket Submissions for Medical
46 Devices 6 and Standards Development and the Use of Standards in Regulatory Submissions
47 Reviewed in the Center for Biologics Evaluation and Research. 7
48
49 The contents of this document do not have the force and effect of law and are not meant to bind
50 the public in any way, unless specifically incorporated into a contract. This document is intended
51 only to provide clarity to the public regarding existing requirements under the law. FDA
52 guidance documents, including this guidance, should be viewed only as recommendations, unless
53 specific regulatory or statutory requirements are cited. The use of the word should in Agency
54 guidance means that something is suggested or recommended, but not required.
55
56 II. Background
57 The purpose of this guidance is to describe FDA’s thinking on the recommended documentation
58 sponsors should include in premarket submissions for FDA’s evaluation of the safety and
59 effectiveness of device software functions. This thinking recognizes recent changes to the FD&C
60 Act made by the 21st Century Cures Act (Cures Act), which amended section 520 of the FD&C
61 Act and excludes certain software functions from the device definition. It also considers the
62 rapidly evolving nature of digital health and recent FDA recognized consensus standards related
63 to software. This guidance, as described in Section III (Scope), is intended to complement other
4
As a reminder, manufacturers of device software must create and maintain software-related documentation in
accordance with the requirements of the Quality System (QS) Regulation (21 CFR 820.30 Subpart C – Design
Controls of the Quality System Regulation).
5
Available at https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/search.cfm.
6
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/appropriate-use-
voluntary-consensus-standards-premarket-submissions-medical-devices.
7
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/standards-development-
and-use-standards-regulatory-submissions-reviewed-center-biologics-evaluation.
2
Contains Nonbinding Recommendations
64 existing guidance documents that provide recommendations related to software, including the
65 guidance documents listed below. The following guidance documents represent a subset of FDA
66 guidances with digital health content 8 relevant to premarket software documentation activities.
67 Please note the list is not exhaustive and is subject to change:
68
69 • Multiple Function Device Products: Policy and Considerations 9
70 • Off-The-Shelf Software Use in Medical Devices 10,11
71 • Design Considerations and Premarket Submission Recommendations for
72 Interoperable Medical Devices 12
73 • General Principles of Software Validation 13
74 • Content of Premarket Submissions for Management of Cybersecurity in Medical
75 Devices 14
76 • Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS)
77 Software 15
78
79 FDA encourages the consideration of these guidances when developing device software
80 functions and preparing premarket software documentation.
81
82 The emergence of consensus standards related to software has helped to improve the consistency
83 and quality of software development and documentation, particularly with respect to activities
84 such as risk assessment and management. When possible, FDA harmonized the terminology and
85 recommendations in this guidance with software-related consensus standards, such as the
86 following examples. The following standards are not intended to represent an exhaustive list and
87 are subject to change:
88
89 • ANSI/AAMI/ISO 14971: Medical devices - Applications of risk management to
90 medical devices
91 • ANSI/AAMI/IEC 62304: Medical Device Software - Software Life Cycle Processes
92 (also referred to as “IEC 62304” in this guidance)
93 • ANSI/AAMI SW91: Classification of defects in health software
94
8
Available at https://www.fda.gov/medical-devices/digital-health-center-excellence/guidances-digital-health-
content
9
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/multiple-function-
device-products-policy-and-considerations.
10
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use-
medical-devices.
11
See section VII.B to learn more about referencing Off-The-Shelf (OTS) Software Use in Medical Devices.
12
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/design-considerations-
and-premarket-submission-recommendations-interoperable-medical-devices.
13
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-
software-validation.
14
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/content-premarket-
submissions-management-cybersecurity-medical-devices-0.
15
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-
networked-medical-devices-containing-shelf-ots-software.
3
Contains Nonbinding Recommendations
95 The Agency encourages the consideration of these FDA recognized consensus standards when
96 developing device software functions and preparing premarket software documentation.
97 III. Scope
98 For the purposes of this document, FDA refers to a software function that meets the definition of
99 a device as a “device software function.” For example, a device software function may control a
100 hardware device or be part of a hardware device 16 (i.e., Software in a Medical Device, or SiMD)
101 or be a device without being part of a hardware device 17 (i.e., Software as a Medical Device, or
102 SaMD). 18 For any given product, the term “function” is a distinct purpose of the product, which
103 could be the intended use or a subset of the intended use of the product. For example, a product
104 with an intended use to analyze data has one function: analysis. A product with an intended use
105 to store, transfer, and analyze data has three functions: (1) storage, (2) transfer, and (3) analysis.
106 As this example illustrates, a product may contain multiple functions.
107
108 This guidance is intended to cover:
109
110 • firmware and other means for software-based control of medical devices;
111 • stand-alone software applications;
112 • software intended to be operated on general-purpose computing platforms;
113 • dedicated hardware/software medical devices; and
114 • accessories to medical devices when those accessories contain or are composed of
115 software.
116
117 This guidance applies to all types of premarket submissions that include one or more device
118 software function(s). Premarket submissions include:
119
120 • Premarket Notification (510(k));
121 • De Novo Classification Request;
122 • Premarket Approval Application (PMA);
123 • Investigational Device Exemption (IDE);
124 • Humanitarian Device Exemption (HDE); and
125 • Biologics License Application (BLA).
126
127 This guidance does not apply to automated manufacturing and Quality System software 19 or
128 software that is not a device. For further information or to clarify the documentation
129 expectations, please contact the responsible FDA review division.
16
For the purposes of this guidance, a software function that is “part of a hardware device” is software used to
control a hardware device, or software necessary for a hardware device to achieve its intended use.
17
Ibid.
18
Additional resources on determining whether a software product contains device functions are provided in section
VII.A.
19
As part of Quality System Regulation production and process controls, 21 CFR 820.70(i) states, “When computers
or automated data processing systems are used as part of production or the quality system, the manufacturer shall
validate computer software for its intended use according to an established protocol. All software changes shall be
validated before approval and issuance. These validation activities and results shall be documented.”
4
Contains Nonbinding Recommendations
130
131 Generally, the recommendations in this guidance apply to the device constituent part of a
132 combination product 20 (such as drug-device and biologic-device combination products) when the
133 device 21 constituent part includes a device software function. For more information, contact the
134 FDA review division that will have the lead review for the combination product.
135
136 Other FDA guidance documents may recommend additional software-related documentation for
137 inclusion in a premarket submission. For example, recommendations regarding cybersecurity
138 information to include in a device premarket submission can be found in the guidances Content
139 of Premarket Submissions for Management of Cybersecurity in Medical Devices and
140 Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software. 22
141 Section II (Background) references other relevant guidance documents that supplement the
142 recommendations contained in this guidance.
143
144 Device software functions subject to specific special controls may require additional software-
145 related documentation in a premarket submission. As applicable, please refer to the relevant
146 special controls for the device.
147
148 This guidance does not apply to the software-related documentation that may be needed to
149 evaluate postmarket software device issues, including corrections and removals.
150
151 While this guidance identifies the documentation sponsors should include in premarket
152 submissions, this guidance is not meant to provide recommendations regarding how device
153 software should be developed, verified and validated. For recommendations on device software
154 development, verification and validation, please consult software-related FDA recognized
155 consensus standards and other software-related FDA guidance documents mentioned in this
156 guidance (e.g., General Principles of Software Validation 23).
157
20
21 CFR 3.2(e).
21
Section 201(h) of the FD&C Act.
22
As part of the software validation and risk analysis required by 21 CFR 820.30(g), software device manufacturers
may need to establish a cybersecurity vulnerability and management approach, where appropriate. FDA
recommends that this approach include a set of cybersecurity design controls to ensure medical device cybersecurity
and maintain medical device safety and effectiveness. Such design controls may make it more likely that FDA will
find your device meets its applicable statutory standard for premarket review.
23
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-
software-validation
24
See footnotes 1 and 2.
5
Contains Nonbinding Recommendations
164 purpose of the product, which could be the intended use or a subset of the intended use of the
165 product.
166
167 Off-the-Shelf Software 25, 26 - A generally available software component used by a device
168 manufacturer for which the manufacturer cannot claim complete software life cycle control (e.g.,
169 operating system, printer/display libraries).
170
171 Serious Injury 27- An injury or illness that:
172 1) Is life threatening,
173 2) Results in permanent impairment of a body function or permanent damage to a
174 body structure, or
175 3) Necessitates medical or surgical intervention to preclude permanent impairment
176 of a body function or permanent damage to a body structure. Permanent is defined
177 as irreversible impairment or damage to a body structure or function, excluding
178 trivial impairment or damage.
179
180 Software as a Medical Device (SaMD) 28, 29 - Software that meets the definition of a device in
181 section 201(h) of the FD&C Act and is intended to be used for one or more medical purposes
182 without being part of a hardware device. 30
183
184 Software in a Medical Device (SiMD) 31 - Software that meets the definition of a device in
185 section 201(h) of the FD&C Act, and is used to control a hardware device or is necessary for a
186 hardware device to achieve its intended use. Typically, SiMD is embedded within or is part of a
187 hardware device. 32
188
189 Software Verification and Software Validation - This guidance uses the terms “software
190 verification” and “software validation,” which are described in further detail below.
191
192 • For the purposes of this guidance, software verification is confirmation by objective
193 evidence that the output of a particular phase of development meets all the input
194 requirements for that phase. Software verification involves evaluating the consistency,
195 completeness, and correctness of the software and its supporting documentation, as it is
196 being developed, and provides support for a subsequent conclusion that software is
197 validated. Software testing is one of several verification activities intended to confirm
198 that the software development output meets its input requirements. Other verification
199 activities include walk-throughs, various static and dynamic analyses, code and document
25
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/shelf-software-use-
medical-devices.
26
See section VII.B to learn more about referencing Off-The-Shelf Software Use in Medical Devices.
27
Serious injury as defined in 21 CFR 803.3(w).
28
For examples, refer to the following FDA webpage: https://www.fda.gov/medical-devices/software-medical-
device-samd/what-are-examples-software-medical-device.
29
See footnotes 1 and 2.
30
See footnote 16.
31
See footnotes 1 and 2.
32
See footnote 16.
6
Contains Nonbinding Recommendations
200 inspections, module level testing and integration testing. For example, the input and
201 output of the design phase are known as Software Requirements Specification (SRS) and
202 Software Design Specification (SDS), respectively. In this case, software verification
203 would involve confirming by objective evidence (e.g., reviews, traceability analysis) that
204 the software design as documented in the SDS (i.e., output) correctly and completely
205 implements all the requirements of the SRS (i.e., input).
206
207 • For the purposes of this guidance, software validation refers to establishing, by objective
208 evidence, that the software specifications conform to user needs and intended uses, and
209 that the particular requirements implemented through software can be consistently
210 fulfilled. Software validation is a part of design validation of the finished device. It
211 involves checking for proper operation of the software in its actual or simulated use
212 environment, including integration into the final device where appropriate. Software
213 validation is highly dependent upon comprehensive software testing and other
214 verification tasks previously completed at each stage of the software development life
215 cycle. Planning, requirements, traceability, testing, risk assessment, design reviews,
216 change management, and many other aspects of good software engineering are important
217 activities that together help to support a conclusion that software is validated.
218
219 The above descriptions of software verification and software validation are consistent with
220 FDA’s thinking as described in the guidance General Principles of Software Validation. 33
221
33
See “General Principles of Software Validation” Guidance, available at https://www.fda.gov/regulatory-
information/search-fda-guidance-documents/general-principles-software-validation.
34
See 21 CFR 801.4 (“…[I]ntended uses…refer to the objective intent of the persons legally responsible for the
labeling of an article. The intent may be shown by such persons’ expressions, the design or composition of the
article, or by the circumstances surrounding the distribution of the article.”).
7
Contains Nonbinding Recommendations
238
239 1) The device is a constituent part of a combination product. 35
240
241 2) The device (a) is intended to test blood donations for transfusion-transmitted
242 infections; or (b) is used to determine donor and recipient compatibility; or (c) is a
243 Blood Establishment Computer Software. 36
244
245 3) The device is classified as class III. 37
246
247 4) A failure or latent flaw of the device software function(s) could present a probable
248 risk of death or serious injury 38, either to a patient, user of the device, or others in
249 the environment of use. These risk(s) should be assessed prior to implementation of
250 risk control measures. You should consider the risk(s) in the context of the device’s
251 intended use; the direct and indirect impacts to safety, treatment, and/or diagnosis;
252 and other relevant considerations.
253
254 The term ‘probable’ in factor #4 above is intended to capture reasonably foreseeable software
255 and hardware risks associated with the device, including those risks resulting from intentional or
256 reasonably foreseeable misuse of the device, prior to the implementation of risk control
257 measures. “Probable” risks also include the likelihood that device functionality is intentionally or
258 unintentionally compromised by inadequate device cybersecurity. The term “probable” is
259 intended to exclude the consideration of purely hypothetical risks, consistent with the use of
260 “probable” in other FDA guidances. 39 It is the sponsor’s responsibility to proactively and
261 comprehensively consider risks as part of the device’s risk assessment.
262
263 For additional information and examples on assessing the Documentation Level for a device,
264 please refer to Appendix A.
265
35
21 CFR 3.2(e).
36
Blood establishment computer software (BECS) is a device used in the manufacture of blood and blood
components to assist in the prevention of disease in humans by identifying ineligible donors, by preventing the
release of unsuitable blood and blood components for transfusion or for further manufacturing into products for
human treatment or diagnosis, by performing compatibility testing between donor and recipient, or by performing
positive identification of patients and blood components at the point of transfusion to prevent transfusion reactions.
This generic type of device may include a BECS accessory, a device intended for use with BECS to augment the
performance of the BECS or to expand or modify its indications for use (21 CFR 864.9165).
37
See 21 CFR 860.3(c)(3).
38
See 21 CFR 803.3(w).
39
Example guidances that distinguish between “probable risks” and “purely hypothetical risks” include, but are not
limited to: (1) Factors to Consider When Making Benefit-Risk Determinations for Medical Device Investigational
Device Exemptions - Guidance for Investigational Device Exemption Sponsors, Sponsor-Investigators and Food and
Drug Administration Staff available at: https://www.fda.gov/regulatory-information/search-fda-guidance-
documents/factors-consider-when-making-benefit-risk-determinations-medical-device-investigational-device; and
(2) Factors to Consider When Making Benefit-Risk Determinations in Medical Device Premarket Approval and De
Novo Classifications available at: https://www.fda.gov/regulatory-information/search-fda-guidance-
documents/factors-consider-when-making-benefit-risk-determinations-medical-device-premarket-approval-and-de
8
Contains Nonbinding Recommendations
System and Detailed diagrams of the modules, layers, and interfaces that comprise the
Software device, their relationships, the data inputs/outputs and flow of data, and
Architecture how users or external products (including IT infrastructure and peripherals)
Design Chart interact with the system and software.
(Section IV.C)
Risk Risk management plan, risk assessment demonstrating that risks have been
Management File appropriately mitigated, and risk management report.
(Section IV.D)
9
Contains Nonbinding Recommendations
(Section IV.E) software design specification, system and software architecture design
chart, software testing as part of verification and validation).
Revision Level Revision history tabulating the major changes to the software during the
History development cycle, including date, version number, a brief description of
the changes relative to the previous version, and indication of the version
(Section IV.I) on which testing was performed.
Unresolved List of remaining software anomalies (e.g., bugs, defects) annotated with an
Anomalies (e.g., explanation of the impact on safety or effectiveness, including operator
Bugs, Defects, or usage and human factors, work-arounds, and timeframe for correction.
Errors)
10
Contains Nonbinding Recommendations
(Section IV.J)
281
282 Documentation Level Evaluation
283 A statement indicating the Documentation Level for the device and a description of the rationale
284 for such Documentation Level, as appropriate.
285
286 Software Description
287 An overview of operationally significant software features, including images, flow charts, and
288 state diagrams as needed to adequately explain the software functionality 40 should be provided.
289 If the premarket submission is for a modified device, provide the document number of the
290 previous submission and highlight pertinent software changes since the last FDA approval or
291 clearance.
292
293 Please consider and provide information to address the questions below when preparing the
294 software description. However, FDA recognizes that these questions and examples may not
295 capture all the unique aspects of a device software function and encourages the inclusion of
296 additional information that will streamline or further FDA’s understanding of the device’s
297 functionality to facilitate the review of a submission.
298
299 If the device is a multiple function device product and includes software function(s) that are
300 considered “other functions,” as that term is used in the guidance Multiple Function Device
301 Product: Policy and Considerations, the recommendations described in the aforementioned
302 guidance should be considered when preparing the software description information.
303
304 Software Specifics
305
306 • What programming languages and compiler versions are used?
307 • What hardware platforms are used?
308 • What operating systems are used (if applicable)?
309 • Does the device use Off-The-Shelf (OTS) software(s)? 41
310 • What is the intended release version? If the intended release version is different from the
311 documentation’s version, explain the differences.
312
40
FDA may request additional architecture charts to address the cybersecurity risks associated with a device. Refer
to the guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical
Devices, for more information.
41
If a device uses OTS software, FDA may request additional information in premarket submissions. Please refer to
section VII.B of this guidance and the guidance document, Guidance for Off-The-Shelf Software Use in Medical
Devices, for more information.
11
Contains Nonbinding Recommendations
42
More information on interoperable medical devices is available at: https://www.fda.gov/regulatory-
information/search-fda-guidance-documents/design-considerations-and-pre-market-submission-recommendations-
interoperable-medical-devices.
12
Contains Nonbinding Recommendations
354 • What is the data or information flow of the software? Consider identifying the response
355 to this question in the system and software architecture diagram. Examples: inputs or
356 outputs transmitted locally, via cloud storage, by disk or drive, or wirelessly.
357 • Does the software interact with any networked devices? Does the software use cloud or
358 network storage?
359
360 If any of the information requested above is included in another document, such as the SRS, an
361 annotation and a reference to the document in the submission where this information is located
362 should be provided.
363
364 System and Software Architecture Diagram
365 The purpose of the system and software architecture diagram is to present a roadmap of the
366 device design to facilitate a clear understanding of 1) the modules 43 and layers that make up the
367 system and software, 2) the relationships among the modules and layers, 3) the data
368 inputs/outputs and flow of data among the modules and layers, and 4) how users or external
369 products, including IT infrastructure and peripherals (e.g., wirelessly connected medical devices)
370 interact with the system and software.
371
372 Sponsors should provide the appropriate level of detail in the system and software architecture
373 diagram to convey the information in a manner that can facilitate an efficient premarket review,
374 including descriptive text (in the diagram or in an accompanying document) to explain the
375 architecture diagram where appropriate. A system and software architecture diagram that is not
376 appropriately tailored (e.g., too high level, too detailed, or overly confusing) will likely increase
377 requests for additional information from the FDA review staff. To the extent appropriate, the
378 system and software architecture diagram can be communicated in one or more diagrams and in
379 one or more formats, and may convey different dimensions of the system and software (e.g.,
380 cybersecurity architecture, state diagram). If more than one diagram is used, the sponsor should
381 provide a high-level diagram that communicates the overview and points to the other diagrams
382 that provide additional detail. The relationship between diagrams should also be clearly
383 communicated. In general, the sponsor should take note of the following visual, language, and
384 reference considerations when developing an effective system and software architecture diagram:
385
386 Visual Considerations
387
388 • The diagram and the means for communicating information in the diagram should be
389 visually consistent (e.g., a solid arrow should convey a specific meaning as compared to a
390 dashed arrow; icons should be used consistently; lines that intersect should clearly
43
For purposes of the system and software architecture diagram, this guidance considers a module to be a discrete unit
or architectural item within the system or software. A module could represent, for example, a finished hardware device
within a system of hardware and software products, a hardware component within a finished hardware device, a
finished software product within a system of software products, or a software function within a finished software
product. A module is not specifically meant to describe code-level software functions, although such code-level
software functions could be considered modules if appropriate. The sponsor should determine what constitutes a
module in the context of its system and software.
13
Contains Nonbinding Recommendations
391 communicate whether the intersection is a crossing or connection) and the meaning
392 ascribed should be clearly communicated (e.g., through the use of standard symbols and
393 notation).
394 • The level of detail provided in the diagram should be consistent throughout unless areas
395 of less detail are clearly explained (e.g., in the case of functions, within the system or
396 software, that are not under review).
397 • Modules should be grouped in a logical and obvious manner.
398 • Use of color or other visual means (e.g., dashed boxes within solid boxes) should be used
399 to convey layering within the system, software, or module.
400 • Visual clutter should be avoided, and the diagram should be scaled according to the
401 complexity and amount of information presented.
402
403 Language Considerations
404
405 • Annotations should be used to provide additional information about a particular module
406 or data element (e.g., a plain-language explanation of the module purpose or a pointer to
407 a document or requirement within the premarket submission).
408 • Use of terminology and naming conventions should be consistent within the diagram and
409 the remainder of the premarket submission materials.
410 • Use of acronyms, jargon, or terms that are not defined in the diagram itself should be
411 avoided.
412
413 References
414
415 • The diagram should reference other documents in the submission (e.g., System &
416 Software Description, Software Requirements Specification), as appropriate.
417 • For submissions related to modifications to a previously cleared or approved device, the
418 diagram should identify and reference those modules that are affected by the
419 modification.
420
421 The above considerations are intended to serve as a guide and may not apply in every case or
422 may apply differently for different diagrams. When developing the system and software
423 architecture diagram, manufacturers are encouraged to leverage industry best practices within
424 and outside the medical device industry.
425
426 For multiple function device products, the system and software architecture diagram should
427 clearly delineate between the device functions-under-review and the “other functions,” as that
428 term is used in the guidance Multiple Function Device Product: Policy and Considerations. The
429 system and software architecture diagram should include adequate detail to understand how or if
430 the “other function(s)” interact with or impact the device function-under-review.
431
432 An example system and software architecture diagram is provided in Appendix B of this
433 guidance, which illustrates one approach to effectively convey the recommended information to
434 facilitate an efficient premarket review of a software system with multiple modules. The example
435 demonstrates how the considerations described in this section can be implemented into a system
14
Contains Nonbinding Recommendations
436 and software architecture diagram. The modules in the example are intended for illustration
437 purposes only and are not intended to document or represent a comprehensive or complete
438 system and software architecture diagram for a specific medical device or system. The approach
439 illustrated can be applied to any system and software architecture diagram, including standalone
440 SaMD.
441
442 Risk Management File
443 The risk management file should be provided as part of the premarket submission and include
444 the following documentation:
445
446 • Risk Management Plan
447 o Refer to the FDA recognized consensus standard ISO 14971 for
448 recommendations on the content of a risk management plan.
449
450 o Submit a risk management plan to support the effectiveness of the risk
451 management activities and processes for a particular medical device. In
452 FDA’s review of the risk management plan, the Agency intends to primarily
453 focus on:
454 Individual risk acceptability criteria including the need for risk
455 reduction (control).
456 Method to evaluate the acceptability of the overall residual risk for all
457 residual risks after all risk control measures have been implemented
458 and verified.
459
460 o The risk acceptability criteria should be based on the sponsor’s policy for
461 determining acceptable risk. The acceptability criteria should be documented
462 in the risk management plan before an initial risk evaluation is performed for
463 the medical device software under review.
464
465 o It should be clear in the risk management plan how the manufacturer’s plans
466 to evaluate the overall residual risk against the benefits of the intended use of
467 the device. For SiMD, if this information is covered in the overall device
468 hazard analysis, this should be noted in the software documentation and
469 reference that section of the submission.
470
471 • Risk Assessment
472 A risk assessment should be provided for all medical device software. For multiple
473 function device products, the risk assessment should include the results of a risk-
474 based analysis of any potential adverse impact or labeled positive impact of “other
475 function(s),” as that term is used in the guidance Multiple Function Device Product:
476 Policy and Considerations, to the safety or effectiveness of the device function-under-
477 review.
478
15
Contains Nonbinding Recommendations
479 The International Medical Device Regulators Forum (IMDRF) document, Software as
480 a Medical Device: Possible Framework for Risk Categorization and Corresponding
481 Considerations, 44 may also be helpful in identifying probable risks. Specifically, it
482 may be helpful to consider the significance of information provided by the software
483 and the criticality of the medical situation or condition in which the software is
484 intended to function.
485
486 All reasonably foreseeable software and hardware hazards associated with the device
487 should be identified and documented in a tabular format, including those hazards
488 resulting from intentional or reasonably foreseeable misuse of the device. You should
489 consider the device’s intended use; the direct and indirect impacts to safety,
490 treatment, and/or diagnosis; among other relevant considerations. In a tabular format,
491 each identified hazard is captured in a singular line item which should include the
492 following items:
493
494 o Identification of the hazard
495
496 o Cause(s) of the hazard
497
498 o Severity of the hazard
499
500 o Initial risk evaluation of hazard
501 This includes assessment of acceptability (e.g., acceptable, not
502 acceptable) and need for risk reduction (control) measures as defined
503 in the risk management plan
504
505 o Risk Control Measures
506 This should include the following risk control measures listed in
507 descending order from highest to lowest priority:
508 • Design
509 • Protective measures (e.g., alarms)
510 • Information for safety (e.g., written warnings, on-screen
511 warnings, training)
512
513 There should be verification of the implementation of the risk control
514 measures and verification of the effectiveness of the implemented risk
515 control measures (i.e., the implemented risk control measure reduces
516 risk). This can be accomplished by tracing the identified hazard to the
517 verified specific risk control measures (e.g., a requirement ID in the
518 SRS and SDS, a test name and identifier in the testing documentation
519 that shows pass/fail results, a user manual name and identifier, a
520 training manual name and identifier). For example, given an identified
44
Available at http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-140918-samd-framework-risk-
categorization-141013.pdf.
16
Contains Nonbinding Recommendations
521 hazard (e.g., HAZ-XXX 45), the following could be listed for
522 traceability: a design related risk control measure that is documented
523 in a software requirement specification (e.g., SRS-XXX) and software
524 design specification (e.g., SDS-XXX), and tested as part of a unit test
525 case (e.g., UT-XXX), integration test case (e.g., INT-XXX) and
526 system test case (e.g., SYS-XXX). FDA recognizes that there may be
527 instances where a specific hazard traces to several
528 requirements/specifications and tests, thereby making the presentation
529 of information cumbersome in the risk assessment document.
530 Therefore, sponsors may choose to present this traceability in a
531 separate table or document with line items to link together software
532 requirements specifications, software design specifications, testing and
533 identified hazards derived from the risk assessment.
534
535 There should be an assessment of whether risk control measures
536 introduce new hazards or hazardous situations or impact the initial risk
537 evaluation.
538
539 Document any risk control measures employed to mitigate increased
540 risk or adverse effect on performance due to the combination of “other
541 function(s),” as that term is used in the guidance Multiple Function
542 Device Product: Policy and Considerations, with the device function-
543 under review.
544
545 o Residual risk evaluation after implemented risk control measures.
546 This includes assessment of acceptability (e.g., acceptable, not
547 acceptable) as defined in the risk management plan.
548
549 o Benefit-Risk Analysis
550 If a residual risk is deemed not acceptable according to the
551 acceptability criteria in the risk management plan and further risk
552 control is not practicable, the manufacturer should provide
553 documented evidence to demonstrate that the benefits of the intended
554 use outweigh the residual risk.
555
556 • Risk Management Report
557 o A risk management report should be provided to:
558 Show how the risk management plan has been appropriately
559 implemented.
560 Demonstrate that the risk management file has been assessed by the
561 appropriate personnel and the overall residual risk is acceptable
45
XXX denotes a unique number identifier for a specific hazard, software requirement specification, software
design specification, unit test case, integration test case or system test case.
17
Contains Nonbinding Recommendations
562 Demonstrate appropriate methods are established for the collection and
563 assessment of relevant production and post-production information
564
565 Software Requirements Specification (SRS)
566 The SRS documents the requirements 46 for the software which typically specifies inputs and
567 outputs, functions that the software will perform, hardware, 47 programming language, 48 compiler
568 version, performance, 49 interfaces, 50 user interaction, error definition and handling, response
569 times, intended operating environment, safety related requirements derived from a risk
570 assessment (Refer to Section VI.D Risk Management File) and all ranges, limits, defaults, and
571 specific values that the software will accept. For additional details on what should be included in
572 the software requirements specification, refer to the guidance, General Principles of Software
573 Validation. 51
574
575 The QSR requires “a mechanism for addressing incomplete, ambiguous, or conflicting
576 requirements.” 52 Each requirement (e.g., hardware, software, user, operator interface, and safety)
577 identified in the software requirements specification should be evaluated for accuracy,
578 completeness, consistency, testability, correctness, and clarity.
579
580 A complete SRS document should be provided. The documentation should include a description
581 of the software requirement identification and tracking methodology used to support the
582 traceability of the requirements.
583
584 FDA acknowledges that modern development practices may employ incremental or evolutionary
585 software development practices. Additional forms of software requirements might be included in
46
The term “requirements” is used in this section as part of the term “Software Requirements Specification”, and
does not refer to a regulatory requirement.
47
Hardware requirements generally include, but are not limited to, requirements related to: microprocessors,
memory devices, sensors, energy sources, safety features, and communications.
48
Programming language requirements generally include, but are not limited to, requirements related to program
size requirements or restrictions, and information on management of memory leaks.
49
Software performance and functional requirements generally include, but are not limited to, requirements related
to algorithms or control characteristics for therapy, diagnosis, monitoring, alarms, analysis, and interpretation with
full text references or supporting clinical data, if necessary. Software performance and functional requirements may
also include: device limitations due to software, internal software tests and checks, error and interrupt handling, fault
detection, tolerance, and recovery characteristics, safety requirements, and timing and memory requirements.
50
Interface requirements (e.g., external, user, internal) generally include, but are not limited to, both communication
between system components and communication with the user such as: printers, monitors, keyboard, mouse, cloud
servers, peripheral medical devices, mobile technology platforms.
51
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-
software-validation.
52
See 21 CFR 820.30(c) (“Design input. Each manufacturer shall establish and maintain procedures to ensure that
the design requirements relating to a device are appropriate and address the intended use of the device, including the
needs of the user and patient. The procedures shall include a mechanism for addressing incomplete, ambiguous, or
conflicting requirements. The design input requirements shall be documented and shall be reviewed and approved
by a designated individual(s). The approval, including the date and signature of the individual(s) approving the
requirements, shall be documented.”).
18
Contains Nonbinding Recommendations
586 the submission, such as well elaborated stories, use cases, textual descriptions, screen mockups,
587 and control flows. Executable requirements may be provided with additional clarification to
588 support readability.
589
590 In order to facilitate a timely premarket review, the following recommendations should be
591 considered in preparing SRS documentation:
592 • Format the SRS to be well-organized, easily navigable and readable with the labeling
593 and/or grouping of requirements by function.
594 • Note any relevant traceability between requirements listed in the SRS and information
595 related to those requirements in other software documentation (e.g., SDS, System and
596 Software Architecture Diagram, etc.).
597 • If the premarket submission involves a modification to an existing approved or cleared
598 device, highlight all pertinent differences in software requirements.
599 • The manufacturer may choose to identify the requirements the manufacturer believes are
600 most critical (i.e., could have the most significant impacts) to the device’s safety and
601 effectiveness. These requirements can be highlighted within the complete SRS document
602 and/or consolidated in a supplemental document that includes these requirements of
603 interest in a summarized format. This technique will help facilitate the presentation of
604 those requirements that most critically affect clinical functionality or performance
605 specifications that are directly associated with the intended use of the device.
606
607 Documentation of requirements included in the premarket submission for the device function-
608 under-review should include adequate detail to describe any expected relationship, utility,
609 reliance, or interoperability with any “other function,” as that term is used in the guidance
610 Multiple Function Device Product: Policy and Considerations.
611
612 Software Design Specification (SDS)
613 The Software Design Specification (SDS) may contain both a high level summary of the design
614 and detailed design information. In terms of the relationship between the Software Requirement
615 Specification (SRS) and the SDS, the SRS describes what the software function will do and the
616 SDS describes how the requirements in the SRS are implemented. The information presented in
617 the SDS should be sufficient to ensure that the work performed by the software engineers who
618 created the software device function was clear and unambiguous, with minimal ad hoc design
619 decisions. Documentation of specifications included in the premarket submission for the device
620 function-under-review should include adequate detail to describe any expected relationship,
621 utility, reliance, or interoperability with any “other function,” as that term is used in the guidance
622 Multiple Function Device Product: Policy and Considerations.
623
624 (1) Basic Documentation Level
625 No SDS documentation recommended in the premarket submission.
626
19
Contains Nonbinding Recommendations
53
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-
software-validation.
20
Contains Nonbinding Recommendations
666 o Note: Software maintenance typically includes the following types of software
667 changes:
668 Corrective: Changes made to correct errors and faults in the software
669 Perfective: Changes made to the software to improve the performance,
670 maintainability, or other attributes of the software system
671 Adaptive: Changes to make the software system usable in a changed
672 environment
673
674 (2) Enhanced Documentation Level
675 For devices that the Enhanced Documentation Level is appropriate, a Declaration of Conformity
676 to the currently FDA-recognized version of ANSI/AAMI IEC 62304 Medical Device Software -
677 Software Life Cycle Processes may suffice.
678
679 Alternatively, a complete configuration management and maintenance plan document could be
680 provided in addition to the summary documentation requested for the Basic Documentation
681 Level, as described above.
682
683 Software Testing as part of Verification and Validation
684 Refer to Section IV (Definitions) for important information pertaining to FDA’s thinking on
685 verification and validation, as it relates to this guidance. Additionally, please refer to guidance
686 General Principles of Software Validation 54 for additional details regarding FDA’s thinking
687 regarding software testing particularly unit level (module or component) testing, integration level
688 (internal and external interfaces) testing and system level (functional) testing.
689
690 Software testing may sometimes involve other device performance testing activities. If the
691 premarket submission leverages information from the performance testing section to address
692 software validation content, the manufacturer is encouraged to appropriately reference the
693 performance testing material to facilitate the navigation between submission sections, reduce
694 instances of duplication, and improve readability.
695
696 (1) Basic Documentation Level
697 The following software testing documentation should be provided:
698
699 • A summary description of the testing activities at the unit, integration, and system levels.
700 The summary description should include the software version tested and the overall
701 pass/fail test results for all test protocols (i.e., collection of test procedures for specific
702 software functionality) executed. If the device is a modified version of a previously
703 cleared or approved device, provide a summary of the modifications compared with the
704 previous cleared or approved version.
54
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-principles-
software-validation.
21
Contains Nonbinding Recommendations
705
706 • Any intentional changes made in response to failed tests and documentation of test results
707 demonstrating that the intentional changes were implemented correctly.
708
709 • A regression analysis and pass/fail test results to account for unintended effects of a
710 software change.
711
712 o Regression analysis is the determination of the impact of a change based on
713 review of the relevant documentation (e.g., software requirements specification,
714 software design specification, source code, test plans, test cases, test scripts, etc.)
715 in order to identify the necessary regression tests to be run. Regression testing is
716 the rerunning of test cases that a program has previously executed correctly and
717 comparing the current result to the previous result in order to detect unintended
718 effects of a software change.
719
720 • System level test protocol including expected results derived from software requirements,
721 actual results that are observed and recorded, objective pass/fail determination (i.e.,
722 actual results are acceptably equivalent to expected results) and a system level test report.
723 The system level test report should demonstrate that the protocol has been acceptably
724 executed with passing test results and any unresolved anomalies have been acceptably
725 deferred based on a risk assessment for the candidate release version.
726
22
Contains Nonbinding Recommendations
746 The last entry in the list should be the final version to be incorporated in the released device.
747 This entry should also include any differences between the tested version of software and the
748 released version, along with an assessment of the potential effect of the differences on the safety
749 and effectiveness of the device.
750
751 If a manufacturer’s development practices use an iterative methodology, information on any
752 changed software requirements and how they continue to meet the system requirements or design
753 inputs should be provided.
754
755 If the revision level history includes a version(s) that corresponds to a previously released
756 version of the software, please highlight in the revision level history document each prior
757 released version and (if applicable) the premarket submission number(s) associated with that
758 release.
759
760 Unresolved Anomalies (e.g., Bugs, Defects, or Errors)
761 An anomaly is any condition that deviates from the expected behavior based on requirements
762 specifications, design documents, standards, or from someone’s perceptions or experiences.
763
764 For each unresolved anomaly, indicate the:
765
766 • problem;
767 • impact on device performance; and
768 • any plans or timeframes for correcting the problem (where appropriate).
769
770 Each item should be annotated with an explanation of the impact of the anomaly on device safety
771 or effectiveness, including operator usage and human factors issues. Typically, this anomaly list
772 can be generated as an output of a change control board or similar mechanism for evaluation and
773 disposition of unresolved software anomalies. FDA suggests ranking anomalies based on risk to
774 patient and/or operator (user). Additionally, the Agency recommends including defect
775 classification for each anomaly using a defect taxonomy, such as ANSI/AAMI SW91’s
776 Classification of defects in health software.
777
778 If the resolution of any unresolved anomalies will be deferred, a risk-based rationale for why
779 each unresolved anomaly would not impact device safety or effectiveness should be provided.
780
781 A list of unresolved anomalies should be communicated to end user(s) as appropriate to assist in
782 the proper operation of the device. In all instances where it is practical to do so, any mitigations
783 or possible work-arounds for unresolved anomalies should be included in the premarket
784 submission.
785
788 Section 3060(a) of the Cures Act amended section 520 of the FD&C Act on December 13, 2016,
789 removing certain software functions from the definition of device in section 201(h) of the FD&C
790 Act. To learn more about FDA’s regulatory considerations for software functions, please
791 consider the following reference materials:
792
793 • Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st
794 Century Cures Act 55
795 • General Wellness: Policy for Low Risk Devices 56
796 • Policy for Device Software Functions and Mobile Medical Applications 57
797 • Medical Device Data Systems, Medical Image Storage Devices, and Medical Image
798 Communications Devices 58
799 • How to Determine if Your Product is a Medical Device 59
800
801 Off-The-Shelf (OTS) Software Use in Medical Devices
802 FDA recognizes the Off-The-Shelf Software Use in Medical Devices (“OTS”) guidance uses
803 “Level of Concern” factors to determine the software content for OTS software. Therefore, after
804 finalization of this guidance, FDA intends to update the OTS guidance to be consistent with this
805 guidance. For example, Table 2 below is derived from “Table 1” in the OTS guidance. Table 2
806 incorporates the Documentation Levels described in this guidance to help explain how the
807 concepts in this guidance could be represented in a future update to the OTS guidance.
808
809 Table 2: Documentation Level for Off-The-Shelf Software
Basic Documentation Level Enhanced Documentation Level
Hazard Analysis Hazard Analysis
Basic Documentation Basic Documentation
Hazard Mitigations Hazard Mitigations
Describe and Justify Residual Risk Describe and Justify Residual Risk
Special Documentation
810
811 Please refer to the OTS guidance for additional information on what information is requested as
812 part of “hazard analysis,” “basic documentation,” 60 “hazard mitigations,” “describe and justify
55
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/changes-existing-
medical-software-policies-resulting-section-3060-21st-century-cures-act.
56
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/general-wellness-
policy-low-risk-devices.
57
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/policy-device-software-
functions-and-mobile-medical-applications.
58
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/medical-device-data-
systems-medical-image-storage-devices-and-medical-image-communications-devices.
59
Available at https://www.fda.gov/medical-devices/classify-your-medical-device/how-determine-if-your-product-
medical-device.
60
Please note “Basic Documentation” is only applicable to the Off-The-Shelf Software Use in Medical Devices
(OTS) guidance and is NOT the same as “Basic Documentation Level.” “Basic Documentation” is described in the
24
Contains Nonbinding Recommendations
813 residual risk,” and “special documentation” content. The OTS Guidance describes “Special
814 Documentation” in section V.E. The information requested as part of the “Special
815 Documentation” includes: (1) an assurance to FDA that the product development methodologies
816 used by the OTS software developer are appropriate and sufficient for the intended use of the
817 OTS software within the specific medical device, (2) the procedures and results of the
818 verification and validation activities performed for the OTS software are appropriate and
819 sufficient for the safety and effectiveness requirements of the medical device, and (3) the
820 existence of appropriate mechanisms for assuring the continued maintenance and support of the
821 OTS software should the original OTS software developer terminate their support.
822
823 When appropriate, the documentation described in this guidance can be leveraged to address the
824 content described in the OTS guidance. For example, the OTS Hazard Analysis information may
825 be captured as part of the Risk Assessment, as described in this guidance.
826
827 Please note, OTS software is typically an “other function,” as that term is used in the guidance
828 Multiple Function Device Product: Policy and Considerations. Therefore, please consider the
829 impact of the OTS software on the device function-under-review and provide information (as
830 recommend in the OTS guidance) about the impact on the device function from the OTS
831 software in a manner consistent with the policy described in the Multiple Function Device
832 Product: Policy and Considerations guidance.
833
834 Additionally, please note the term SOUP, Software of Unknown Pedigree, may also be used to
835 describe software from a third party. For additional information on the term SOUP, please refer
836 to the use of the term in the standard ANSI/AAMI/IEC 62304: Medical Device Software -
837 Software Life Cycle Processes.
838
839 Comparison of Guidance to IEC 62304 and
840 ANSI/AAMI/IEC 62304
841 FDA recognizes voluntary consensus standards to help facilitate meeting requirements under the
842 statute or regulations. The use of FDA-recognized consensus standards can increase
843 predictability, streamline premarket review, provide clearer regulatory expectations, facilitate
844 market entry for safe and effective medical products, and promote international harmonization
845 (see Recognition and Withdrawal of Voluntary Consensus Standards 61).
846
847 As of this draft guidance’s publication, both IEC 62304 Edition 1.1 and ANSI/AAMI/IEC
848 62304:2006/A1:2016 Medical device software — Software life cycle processes (henceforth “IEC
849 62304”), are FDA-recognized voluntary consensus standards. The scope of each standard
850 includes life cycle requirements for medical device software, including the set of processes,
OTS guidance as the answers to questions pertaining to the description of OTS software; whereas “Basic
Documentation Level” is described in this guidance as one of two levels of documentation recommendations used to
help identify the minimum amount of information that, based on FDA’s experience, would generally be needed to
support a premarket submission for a device that uses software.
61
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/recognition-and-
withdrawal-voluntary-consensus-standards.
25
Contains Nonbinding Recommendations
851 activities, and tasks that establish a common framework for medical device software life cycle
852 processes.
853
854 There are similarities and differences between the intents and information discussed in this
855 guidance and IEC 62304. Both this guidance and IEC 62304 discuss how to document and
856 communicate software development, maintenance, and risk management processes. However,
857 this guidance document focuses on documentation and communication only as it pertains to
858 facilitating FDA’s complete and efficient review of device software functions subject to
859 premarket submission, whereas the scope of IEC 62304 extends beyond the intent of this
860 guidance and discusses broader perspectives that may not result in documents that are easily
861 reviewed by FDA.
862
863 Therefore, this guidance document intends to leverage IEC 62304 in a very specific manner in
864 order to reduce the amount of documentation requested to support a premarket submission for a
865 device software function. Specifically, Section V.G: Software Development and Maintenance
866 Practices offers an alternate approach through which FDA intends to accept a Declaration of
867 Conformity to IEC 62304 in place of a detailed description of software development and
868 maintenance practices (formerly, “Software Development Environment Description”). Sponsors
869 may refer to the guidance document Appropriate Use of Voluntary Consensus Standards in
870 Premarket Submissions for Medical Devices 62 for more information on preparation of a
871 Declaration of Conformity. Conformity to this consensus standard is voluntary and, as such, an
872 alternate approach is offered. When assessing the appropriate Documentation Level for the
873 device and the overall recommended documentation for inclusion in a premarket submission,
874 please refer to Section V (Documentation Level) and Section VI (Recommended
875 Documentation) of this guidance.
876
Available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/appropriate-use-
62
voluntary-consensus-standards-premarket-submissions-medical-devices.
26
Contains Nonbinding Recommendations
27
Contains Nonbinding Recommendations
28
Contains Nonbinding Recommendations
918 Outcome: The device is not a constituent part of a combination product, is not Blood
919 Establishment Computer Software, and is not intended for use in testing blood donations
920 for transfusion-transmitted infections or determining donor and recipient compatibility.
921 The device is class II. However, a failure or latent flaw of the device software function(s)
922 (e.g., exploited cybersecurity vulnerability compromises device functionality) would
923 present a probable risk of death or serious injury to a patient (e.g., loss of life supporting
924 function) prior to the implementation of risk control measures. Therefore, this device
925 would fall under “Enhanced Documentation Level.”
926
927 4. A Blood Establishment Computer Software or BECS accessory.
928
# Factors Yes/No
1 The device is a constituent part of a combination product. No
2 The device (a) is intended to test blood donations for transfusion- Yes
transmitted infections; or (b) is used to determine donor and recipient
compatibility; or (c) is Blood Establishment Computer Software.
3 The device is classified as class III. No
4 A failure or latent flaw of the device software function(s) could Yes
present a probable risk of death or serious injury either to the patient,
user of the device, or others in the environment of use. These risk(s)
should be assessed prior to implementation of risk control measures.
You should consider the risk(s) in the context of the device’s intended
use; the direct and indirect impacts to safety, treatment, and/or
diagnosis; and other relevant considerations.
929
930 Outcome: The device is not a constituent part of a combination product. It is Blood
931 Establishment Computer Software. The device is class II. However, a failure or latent
932 flaw of the device software function(s) (e.g., exploited cybersecurity vulnerability
933 compromises device functionality) would present a probable risk of death or serious
934 injury to a patient (e.g., loss of life supporting function) prior to the implementation of
935 risk control measures. Therefore, this device would fall under “Enhanced Documentation
936 Level.”
937
938 5. A qualitative in vitro nucleic acid screening test for the direct detection of Babesia DNA
939 and RNA in whole blood samples from individual human donors.
940
29
Contains Nonbinding Recommendations
# Factors Yes/No
1 The device is a constituent part of a combination product. No
2 The device (a) is intended to test blood donations for transfusion- Yes
transmitted infections; or (b) is used to determine donor and recipient
compatibility; or (c) is Blood Establishment Computer Software.
3 The device is classified as class III. No
4 A failure or latent flaw of the device software function(s) could Yes
present a probable risk of death or serious injury either to the patient,
user of the device, or others in the environment of use. These risk(s)
should be assessed prior to implementation of risk control measures.
You should consider the risk(s) in the context of the device’s intended
use; the direct and indirect impacts to safety, treatment, and/or
diagnosis; and other relevant considerations.
941
942 Outcome: The device is not a constituent part of a combination product and is not Blood
943 Establishment Computer Software. The device is licensed under a BLA and consequently
944 is not class III. However, the device is intended for use in testing blood donations for a
945 transfusion-transmitted infection where an inaccurate result could result in blood
946 recipient death or serious injury prior to the implementation of risk control measures.
947 Therefore, this device would fall under “Enhanced Documentation Level.”
948
949 6. A hardware-only hip prosthesis.
950
951 Outcome: This device would not have a Documentation Level because it does not
952 contain software.
953
954
955
30
Contains Nonbinding Recommendations
966
967 Figure 1: Example Architecture Design Chart – Overview of all modules
968
31
Contains Nonbinding Recommendations
969
970 Figure 2: Example Architecture Design Chart – Detail view of example module #1
971
32
Contains Nonbinding Recommendations
972
973 Figure 3: Example Architecture Design Chart – Detail view of example module #2
974
33
Contains Nonbinding Recommendations
975
976 Figure 4: Example Architecture Design Chart – Detail view of example module #3
977
978
34
Contains Nonbinding Recommendations
979
980 Figure 5: Example Architecture Design Chart – Detail view of example module #4
981
35
Contains Nonbinding Recommendations
982
983 Figure 6: Example Architecture Design Chart – Detail view of example module #5
984
985
986
36