Industry seeks clarity, ICH Q9 alignment in FDA’s device production software guidance
Regulatory News | 14 November 2022 |
Comments in response to the US Food and Drug Administration (FDA)’s draft guidance on software assurance for computer and data processing systems associated with medical device production have asked the agency to align some of the language in the document with the recent International Council for Harmonisation’s (ICH) Q9 guidance, exclude system lifecycle tools from the guidance and include information on cybersecurity.
The draft guidance details a risk-based approach to “establish confidence in the automation used for production or quality systems, and identify where additional rigor may be appropriate” as well as steps for validating the software and its appropriate use. When implemented, FDA said the framework will help meet the requirements of 21 CFR 820.70(i), which dictates the maintenance schedule requirements of medical equipment. (RELATED: FDA drafts guidance on device production and quality system software assurance, Regulatory Focus 12 September 2022)
The guidance, when finalized, is intended to replace Section 6 of the “General Principles of Software Validation” (GPSV) final guidance published in January 2002 on validation of automated process equipment and quality system software.
Adopt language from ICH Q9 guidance
Stakeholders commenting on FDA’s draft guidance generally welcomed the agency’s flexible, risk-based approach to production and quality system computer software assurance (CSA).
“The flexible approach in this draft guidance is a welcome improvement over the historically rigid and non-value added approaches to computer system validations (CSV) adopted throughout much of the medical device, pharmaceutical, and life-sciences industries,” biotechnology company 23andMe wrote in their comment.
Several commenters noted the agency should adopt quality risk management terminology and principles as outlined in the recent ICH Q9 (Revision) guidance, rather than the language used in the draft guidance. (RELATED: ICH releases revised Q9 guideline to improve risk assessments, Regulatory Focus 03 January 2022)
“The use of ICH terminology and principles should lead to more consistent interpretation by industry and regulators and facilitate understanding and potential acceptance by other regulatory agencies,” the International Society for Pharmaceutical Engineering (ISPE) wrote in their comment.
CSA vs. CSV
In particular, several commenters took were concerned with the draft guidance’s use of the term CSA in the title and body of the document and its potential for being misunderstood by industry. “If the guidance shall have an impact outside of the medical device sector, the guidance title shall be reconsidered since it contradicts the definition of a ‘computerised system’ based on PIC/S PI 011-3, section 6.2,” the European Compliance Academy wrote.
“CSV does not cover software quality only but takes a holistic approach including, beside the computer, the controlled process, the related procedures, and the personnel. These elements are not or only very limited addressed in the guidance possibly causing confusion for the readers,” they explained. In some cases, compliance can’t be reduced to the computer software alone, they noted, as many current manufacturing and laboratory equipment are computer controlled.
“The current guidance content could be [misunderstood] by the industry causing a compliance decreasing and a control loss for production and quality system computer systems,” they said.
While 23andMe interpreted the use of the term CSA as a departure from the traditional meaning of validation, they asked FDA to “be more definitive in stating that these computer software assurance methods (i.e. unscripted testing) actually fulfill the validation requirements and don't just ‘help to fulfill the validation requirements.’”
Cybersecurity
Commenters observed that cybersecurity is a component of safety risk for medical device products and was missing from the draft guidance.
“Security risks (e.g., private info exposure) pose a potential safety risk that is not associated with a specific medical device. Implying high process risks are limited to only "medical devices" and not to medical data may create an inadequate execution of risk scenario validation,” Siemens Healthineers wrote in their comment.
Boston Scientific requested FDA create a prompt in the guidance for industry and agency staff to consider cybersecurity requirements, noting that cybersecurity is “a critical component of ensuring that production and quality systems meet and maintain their intended use.”
System lifecycle tools do not fall under 21 CFR 820.70(i)
There was also a question of whether system lifecycle tools should be considered in the guidance, as they are not included in other, similar guidances such as EU GMP, Annex 11, Computerised Systems and ISPE GAMP 5.
“Based on the rationale given below, and to harmonize with [other guidances], it is recommended that final guidance should regard system lifecycle tools as not considered to be used as part of production or the quality system and, therefore, not validated under 21 CFR 820.70(i),” ISPE wrote in their comment.
Another place where FDA’s guidance diverges from GAMP 5 and EU, Annex 11 is in how it characterizes validation of supporting software, whereas the other guidances simply require demonstration of adequacy, rather than validation. “Applying the concept of ‘validation’ to such tools raises a potential barrier and discouragement to their use, as well as potentially increasing cost without additional quality and safety benefits, depending on the interpretation of ‘validation’ in the regulated company,” ISPE explained.
Boston Scientific also raised an issue with the data being collected and whether it all falls under the purview of 820.70(i). “The way the guidance is written, it suggests that all production data that is captured falls into 820.70(i). This is not the case as much data that is gathered is related to scrap, yield, etc,” Boston Scientific wrote. “Make [it] clear that only the gathering and processing of data required by the quality system needs to be in scope of 820.70(i).”
Applicability to non-medical industries
Technology company Medidata wrote in its comment expressing concern about the applicability of the guidance outside medical devices. “If the agency has collaborated across multiple arms and intends this guidance to be applicable beyond Medical Device, it should clarify applicability in the Introduction and Scope section. Please specify that CSA is not replacing CSV,” they said.
The European Compliance Academy cautioned against FDA using this guidance in non-medical device industries as well. “Comparing regulated medical devices with less regulated industry sectors can be very dangerous. The safety expectations are not similar. Past experience has shown that the transfer of industry practices from less regulated sectors to stricter regulated sectors (aircraft, healthcare) can lead to safety catastrophes,” they said.
The European Compliance Academy also questioned the need for a new supplemental guidance for GPSV, suggesting that the agency should instead update the GPSV rather than create a new guidance with a limited scope.
“The [chosen] approach to amend the GPSV by superseding Section 6 and replacing it with the CSA guidance is highly unfortunate since it causes confusion for the readers,” they wrote. “It would be clearer and better to issue a new version of the GPSV with a revised content, including a possible formal scope extension.”
Draft Guidance
The draft guidance details a risk-based approach to “establish confidence in the automation used for production or quality systems, and identify where additional rigor may be appropriate” as well as steps for validating the software and its appropriate use. When implemented, FDA said the framework will help meet the requirements of 21 CFR 820.70(i), which dictates the maintenance schedule requirements of medical equipment. (RELATED: FDA drafts guidance on device production and quality system software assurance, Regulatory Focus 12 September 2022)
The guidance, when finalized, is intended to replace Section 6 of the “General Principles of Software Validation” (GPSV) final guidance published in January 2002 on validation of automated process equipment and quality system software.
Adopt language from ICH Q9 guidance
Stakeholders commenting on FDA’s draft guidance generally welcomed the agency’s flexible, risk-based approach to production and quality system computer software assurance (CSA).
“The flexible approach in this draft guidance is a welcome improvement over the historically rigid and non-value added approaches to computer system validations (CSV) adopted throughout much of the medical device, pharmaceutical, and life-sciences industries,” biotechnology company 23andMe wrote in their comment.
Several commenters noted the agency should adopt quality risk management terminology and principles as outlined in the recent ICH Q9 (Revision) guidance, rather than the language used in the draft guidance. (RELATED: ICH releases revised Q9 guideline to improve risk assessments, Regulatory Focus 03 January 2022)
“The use of ICH terminology and principles should lead to more consistent interpretation by industry and regulators and facilitate understanding and potential acceptance by other regulatory agencies,” the International Society for Pharmaceutical Engineering (ISPE) wrote in their comment.
CSA vs. CSV
In particular, several commenters took were concerned with the draft guidance’s use of the term CSA in the title and body of the document and its potential for being misunderstood by industry. “If the guidance shall have an impact outside of the medical device sector, the guidance title shall be reconsidered since it contradicts the definition of a ‘computerised system’ based on PIC/S PI 011-3, section 6.2,” the European Compliance Academy wrote.
“CSV does not cover software quality only but takes a holistic approach including, beside the computer, the controlled process, the related procedures, and the personnel. These elements are not or only very limited addressed in the guidance possibly causing confusion for the readers,” they explained. In some cases, compliance can’t be reduced to the computer software alone, they noted, as many current manufacturing and laboratory equipment are computer controlled.
“The current guidance content could be [misunderstood] by the industry causing a compliance decreasing and a control loss for production and quality system computer systems,” they said.
While 23andMe interpreted the use of the term CSA as a departure from the traditional meaning of validation, they asked FDA to “be more definitive in stating that these computer software assurance methods (i.e. unscripted testing) actually fulfill the validation requirements and don't just ‘help to fulfill the validation requirements.’”
Cybersecurity
Commenters observed that cybersecurity is a component of safety risk for medical device products and was missing from the draft guidance.
“Security risks (e.g., private info exposure) pose a potential safety risk that is not associated with a specific medical device. Implying high process risks are limited to only "medical devices" and not to medical data may create an inadequate execution of risk scenario validation,” Siemens Healthineers wrote in their comment.
Boston Scientific requested FDA create a prompt in the guidance for industry and agency staff to consider cybersecurity requirements, noting that cybersecurity is “a critical component of ensuring that production and quality systems meet and maintain their intended use.”
System lifecycle tools do not fall under 21 CFR 820.70(i)
There was also a question of whether system lifecycle tools should be considered in the guidance, as they are not included in other, similar guidances such as EU GMP, Annex 11, Computerised Systems and ISPE GAMP 5.
“Based on the rationale given below, and to harmonize with [other guidances], it is recommended that final guidance should regard system lifecycle tools as not considered to be used as part of production or the quality system and, therefore, not validated under 21 CFR 820.70(i),” ISPE wrote in their comment.
Another place where FDA’s guidance diverges from GAMP 5 and EU, Annex 11 is in how it characterizes validation of supporting software, whereas the other guidances simply require demonstration of adequacy, rather than validation. “Applying the concept of ‘validation’ to such tools raises a potential barrier and discouragement to their use, as well as potentially increasing cost without additional quality and safety benefits, depending on the interpretation of ‘validation’ in the regulated company,” ISPE explained.
Boston Scientific also raised an issue with the data being collected and whether it all falls under the purview of 820.70(i). “The way the guidance is written, it suggests that all production data that is captured falls into 820.70(i). This is not the case as much data that is gathered is related to scrap, yield, etc,” Boston Scientific wrote. “Make [it] clear that only the gathering and processing of data required by the quality system needs to be in scope of 820.70(i).”
Applicability to non-medical industries
Technology company Medidata wrote in its comment expressing concern about the applicability of the guidance outside medical devices. “If the agency has collaborated across multiple arms and intends this guidance to be applicable beyond Medical Device, it should clarify applicability in the Introduction and Scope section. Please specify that CSA is not replacing CSV,” they said.
The European Compliance Academy cautioned against FDA using this guidance in non-medical device industries as well. “Comparing regulated medical devices with less regulated industry sectors can be very dangerous. The safety expectations are not similar. Past experience has shown that the transfer of industry practices from less regulated sectors to stricter regulated sectors (aircraft, healthcare) can lead to safety catastrophes,” they said.
The European Compliance Academy also questioned the need for a new supplemental guidance for GPSV, suggesting that the agency should instead update the GPSV rather than create a new guidance with a limited scope.
“The [chosen] approach to amend the GPSV by superseding Section 6 and replacing it with the CSA guidance is highly unfortunate since it causes confusion for the readers,” they wrote. “It would be clearer and better to issue a new version of the GPSV with a revised content, including a possible formal scope extension.”
Draft Guidance
© 2025 Regulatory Affairs Professionals Society.
![Ethics--Essential Tools for Regulatory Professionals [4.0 RAC]](https://my.raps.org:443/images/c62fc9a7-2f2b-4813-b6b6-4d15a978547b.img?resize=yes)
![Regulatory Due Diligence for Product Development [3.0 RAC]](https://my.raps.org:443/images/84b26380-02b5-4ce9-8329-bae179661126.img?resize=yes)
