Off-The-Shelf Software in Medical Devices: Documentation Requirements for Premarket Submissions
This guidance provides recommendations for documentation required in premarket submissions for medical devices using Off-The-Shelf (OTS) software. OTS software is defined as a generally available software component used by a medical device manufacturer for which they cannot claim complete software life cycle control (e.g., operating systems, printer/display libraries).
What You Need to Know? π
What is Off-The-Shelf (OTS) software in medical devices?
OTS software is generally available software components used by medical device manufacturers for which they cannot claim complete software life cycle control, such as operating systems or printer/display libraries.
What documentation level applies to my medical device with OTS software?
Documentation level (Basic or Enhanced) depends on whether a failure could present probable risk of death or serious injury. Enhanced level applies when such risks exist prior to risk control measures.
Do I need a new 510(k) when changing OTS software in my device?
The decision depends on the deviceβs intended use, OTS software function, and extent of risk mitigation. Same conditions apply as for devices without OTS software per existing FDA guidance.
What testing is required for OTS software in medical devices?
Testing must be commensurate with documentation level and demonstrate appropriateness for associated hazards. This includes sponsor qualification testing and may include OTS developer testing with documented results.
Can OTS software vendors submit confidential information separately to FDA?
Yes, commercial OTS software vendors can submit confidential development and validation information through a Master File for Devices (MAF) rather than sharing directly with device manufacturers.
What labeling requirements exist for medical devices using OTS software?
User manuals must specify approved OTS software versions, include warnings against using non-specified software, and describe minimum hardware platforms and proper installation testing procedures.
What You Need to Do π
Recommended Actions
- Determine the Documentation Level (Basic or Enhanced) based on device risk assessment
- Prepare comprehensive OTS software description including features, specifications and interfaces
- Conduct and document risk assessment for OTS software components
- Develop and execute verification and validation test plans
- Establish configuration management and version control procedures
- Create appropriate labeling including warnings and requirements
- Implement cybersecurity measures for data protection
- Document development methodology assurance (Enhanced level only)
- Establish maintenance and support procedures
- Prepare obsolescence management strategy
- Include all required documentation in premarket submission based on Documentation Level
Key Considerations
Non-clinical testing
- Test plans and results must be provided as part of verification and validation activities for the OTS software
- Testing should include activities performed by both OTS software developer and device manufacturer
- Testing must be appropriate for the hazards associated with the OTS software
- Current list of OTS software defects must be provided
Human Factors
- Education and training requirements for users must be specified
- Human factors conditions introduced by new OTS software components must be evaluated
Software
- Complete description of OTS software features and functions must be provided
- Computer system specifications must be detailed (hardware and software requirements)
- Links with other software must be fully defined
- Configuration management and version control procedures must be implemented
- Installation and maintenance procedures must be documented
- Risk assessment demonstrating appropriate risk mitigation must be provided
Cybersecurity
- Data integrity measures must be implemented including error checking and correction
- User authorization and authentication must be implemented for sensitive data access
- Network security considerations must be addressed for networked devices
Labelling
- User manual must specify supported OTS software versions
- Warnings about using non-specified software must be included
- Minimum hardware platform requirements must be documented
- Installation verification procedures must be described
Safety
- Safety impact assessment must be performed when introducing new/modified OTS software
- Hazards must be documented in Risk Management File
- Traceability between hazards, requirements and test reports must be provided
Other considerations
- Development methodologies assurance required for Enhanced Documentation level devices
- Continued maintenance and support mechanisms must be demonstrated
- Obsolescence management plan should be provided
- Network architecture and performance requirements must be specified for networked devices
Relevant Guidances π
- Content of Premarket Submissions for Device Software Functions
- Cybersecurity in Medical Devices: Design, Implementation, and Premarket Submissions
- Software Validation for Medical Device Production, Quality Systems, and Device Components
- Applying Human Factors Engineering and Usability Engineering to Medical Devices
Related references and norms π
- ISO 13485: Medical devices - Quality management systems for regulatory purposes
- IEC 62304: Medical device software - Software life cycle processes