2023 FDA Warning Letters and Software Validation

In the past year, we have witnessed a surge in FDA software-related announcements – including everything from new guidances to warning letters. These initiatives reflect the FDA’s increased focus on the digital world, including medical device software and non-product software used in regulated life sciences applications (i.e. GxP), such as clinical trials. 

Even more novel, the FDA is now auditing and issuing warning letters to small companies. Recent letters sent to Vitang (4 people) and ZYTO (56 people) underscore the FDA’s growing scrutiny on the proliferation of medical device startups and their software validation processes. 

Recent FDA guidances and activities

This “software flavor” to the Agency’s agenda is long overdue and has been discussed for the past few years. A recent flurry of FDA activity includes:

• The new final guidance on requirements for premarket submissions of device software functions
• The Patch Act (requirements for a complete safety-based SBOM and comprehensive cybersecurity plan) 
• The Computer Software Assurance (CSA) draft in 2022 clarified the agency’s latest approach to non product software validation.
• Draft guidance on how AI/ML machine learning-based device software will be managed in the US. 

On the heels of these guidances, the FDA has started issuing more warning letters to manufacturers focused on software issues. Its focus, of course, extends to large public companies as well, such as iRhythm. With heart devices widely deployed in tens of thousands of locations, iRhythm naturally attracts attention. This single letter resulted in a 15+% decrease in iRhythm’s stock price. 

Warning Letter Risks and Damages

The threat an FDA warning letter poses to any company is significant and existential to a startup. The immediate consequence is the disruption and resource diversion to rectify issues, instantly detracting from R&D and growth. Additional risks include:

• Irreversible reputational damage - Warning letter shows up on Google
• Immediate disruption to product manufacturing and distribution, affecting cash flow and investor attraction. 
• Removal of marketing authorization for up to 12 months
• Legal penalties if concerns aren't addressed
• Jeopardized future product approvals, with increased scrutiny from FDA
• In worst cases, business closure due to the inability to resolve findings

Expressed Citations in Recent FDA Warning Letters

FDA warning letters can no longer be dismissed as a risk to regulated life sciences applications and medical device manufacturers. With more scrutiny on software processes, more warning letters are expected for companies, and  in general, these letters, including those sent to iRhythm, Vitang, and ZYTO, focus on four common concerns:

1. Product Software validation – Not validating or verifying medical device software properly
2. Non-software product validation – Not validating or verifying infrastructure software (GxP software) used in manufacturing many quality processes
3. Procedure coverage and deviation – Not having procedures required by FDA 21 CFR Part 820 or Part 11 quality regulations 
4. Modified marketing statements – Ensuring device marketing statements do not differ from what the device is approved to do

The FDA is scrutinizing the entire product life cycle process, from design and testing to procedure and marketing practices, and teams are balancing an unprecedented amount of details within their complex software. This combination means all parties will be paying more attention to the minutiae of the software life cycle than ever before, starting with the four most common concerns:  

Product software validation

Enforcement of product software validation requirements (under 21 CFR Part 820.30) is not new and was cited both against iRhythm and Zyto. The challenge of validating complex software systems, which involve embedded, cloud, mobile, and AI components is one the FDA is deeply familiar with. In fact, over 20% of all medical device recalls are software related. As mentioned 820.30: “Design validation shall include software validation and risk analysis, where appropriate.” 

In the warning letter to iRhythm, the FDA notes the simple act of guaranteeing the deletion of personal health data was not validated. In the case of Zyto, the company failed to validate and provide objective evidence that its device works as intended. Both letters show the increased focus of the agency on software validation at both large and small companies.

Non-product software validation

The use of software in healthcare and life sciences is growing at a rapid rate and becoming core infrastructure for not only medical device companies but also clinical data management and other GxP applications. The FDA recognizes this change and is appropriately placing more emphasis on known software challenges, like validation, risk managment, and process deviation. This expectation extends to all systems that support the product life cycle, including design, development, testing and post-market surveillance. Most companies are unprepared to validate tools like Jira, Github, and any other development tools used across the software development lifecycle.

21 CFR Part  820.70 states: “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.”

Among other concerns, Vitang was cited for not having proper validation of their complaint-handling application, which they use to record, investigate, and report on product complaints (i.e. post market surveillance). The FDA went so far as to note that just because a system has “proven to be effective” for any length of time does not satisfy the FDAs validation requirements. We believe non-product software validation will increasingly become one of the largest areas of focus for the FDA over the next decade.

Procedure coverage and deviation

A theme the FDA identified included the lack of required documented procedures (e.g. CAPA processes). Further, when procedures did exist, they were not followed. In its letter to Vitang, the FDA cited them for not validating the systems in which they’re manufacturing the product, as well as not validating the quality system they use to manage complaints.

The ZYTOS letter admonished the company for not having design control procedures, notably, the absence of design verification. While software validation largely refers to testing software, the requirement for design verification goes a step further. It involves additional rigor in ensuring that every aspect of the original design specification (the intended use) is documented, and more importantly, that the requirements actually fulfill the intended use. Only then do you test the software. Again, this latter violation stems from a software development culture that doesn’t think about development in this way – especially because of the perceived burden it entails. Yet, for a safety-critical device, it is critical to substantiate the claims made on the label.

In addition to not following their own SOPs, the FDA letters also called out iRhythm and Vitang for either not having formal complaint-handling procedures or simply not following them.

Modified marketing statements

The FDA noted that iRhythm is marketing its system for “unapproved indications,” which would require a new 510(k) submission. In its letter, the FDA writes that the iRhythm device was cleared for “long-term monitoring of arrhythmia events for non-critical care patients,” yet marketing materials talk about “real-time monitoring” and imply that the product is intended for “high-risk patients.” Similarly,  the FDA called out ZYTOS for making claims about what their software can and can’t do outside of their original submission. 

Companies Need to Address Increased Risks Posed by Complex Systems & Rapid  Software Deployment 

While these letters represent an increased focus on software by FDA, these four deficiency areas aren’t new. Challenges with marketing language, process deviation, and software validation for product and non-product software have always been common challenges the industry faces. 

We see the flurry of recent warning letters as demonstrating the FDA’s commitment to keeping pace with technological advancements in the healthcare industry. They indicate the FDA’s intent to strike a balance between promoting innovation and ensuring patient safety. In short, the FDA is getting serious about software, attempting to provide clearer regulatory pathways and expectations for MedTechs. The FDA is also making it clear that manufacturers MUST validate their software and any non-product software components or partner with entities that know how to do this. Any non-compliance or shortcomings in a manufacturer’s products will no longer be tolerated and will be subject to scrutiny, regulatory action or even a recall. 

This is exactly why we built Ketryx, a developer-first way to build regulated software. Ketryx connects the tools your team already uses and loves with existing quality systems while enforcing your SOPs exactly as written. This framework eliminates the tedious and error-prone copy/pasting plaguing many teams in safety-critical environments. Our approach has attracted a world-class team of developers and quality professionals, including former FDA talent, who wrote much of the device software standard (ISO 62304) while leading the FDA’s work in software engineering. With Ketryx, you can easily perform design verification and software validation in the tools you already use to support your CI/CD pipeline, releasing validated software as frequently as needed.

Want to learn more about the FDA’s process? Check out our eBook Inside the FDA Regulatory Process in the Ketryx Learning Center, or explore our blog posts “Why the FDA’s Most Common Warning Letter Might Surprise You” and “The FDA drops a Cybersecurity Compliance SBOM in 2023.” 

‍Want to get started with Ketryx? Schedule a demo with our team today and keep your regulated software compliant!