Warning Letter – Software Validation Shortcomings

December 26, 2019

Excerpts from warning letter of interest to software professionals:

“The inspection also revealed that your … LED light therapy devices are adulterated within the meaning of section 501(h) of the Act, 21 U.S.C. § 351(h), in that the methods used in, or the facilities or controls used for, their manufacture, packing, storage, or installation are not in conformity with the current good manufacturing practice requirements of the Quality System regulation found at 21 CFR Part 820.”

2. Procedures for design control have not been established and maintained per the requirements of 21 CFR 820.30, to include a complete risk analysis.

“During our inspection, the Design Control Procedure, … and the Design Change Control Procedure, … were provided. These draft procedures were dated the day our inspection began and had not been reviewed or approved as required by your Document and Data Control Procedure, … . The Design Control Procedure states that devices developed before the Procedure became effective may follow a retrospective approach for documenting design; however, the documents provided did not document any such retrospective approach.

In general, many design documents reviewed during the inspection were not approved, were not complete, and did not follow an established procedure. For example, a Design Plan, … was provided, but it is undated and has no signatures demonstrating the document is approved as required by your Document and Data Control Procedure. In addition, two design checklists were provided dated … . The checklists refer to a “Product Brief” that could not be provided upon request. The checklists were not signed and did not demonstrate approval (i.e., all places for “sign off” were left blank). Design reviews, verification and validation, and design changes should follow an approved procedure and be governed by document controls that demonstrate appropriate review, approval, and control.”

Now for the software stuff:

“The Software Validation Procedure, was dated xxx, (issued the day before our preannounced inspection began) was also provided during the inspection.  All documents related to software validation should be aligned per the requirements of your design procedures and this Software Validation Procedure. We recommend that you review your procedures against 21 CFR 820.30 to ensure all requirements are met because the software validation documents provided during the inspection do not appear to have been governed by a procedure at the time of performance. In addition, the Software Validation Report dated x/x/xxxx references a (b)(4) minute default setting for the run time of “The Vevazz” yet the treatment time is listed in the “Vevazz” User Manual as 7 minutes. The test plan referred to within this report was requested, but could not be provided. Per the two different treatment times indicated in clearances, the device and related software should be validated to demonstrate consistent performance for either treatment time based on the indication(s) for use.

Your firm’s Software Validation and Risk Mitigation Procedures reference risk assessment. The Software Level of Concern document provided to address risk analysis lists mitigations to defined risks such as visual inspection, however no documentation of visual inspection or other mitigating steps could be provided during the inspection. Without adequate records documenting performance of risk mitigation steps, there is no assurance that the risks identified with the device have been adequately controlled/mitigated to reduce the hazards to the user as required per your Hazard Analysis document, rev 0, no release date.

Your response indicates you will implement the “design control procedures” by x/x/xxxx, and compile the Design History File (DHF) by x/x/xxxx. We cannot evaluate the adequacy of your firm’s response and proposed actions at this time as you have not provided objective evidence of corrections.

See the complete Warning Letter at this link:  https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/vevazz-llc-592118-12262019

About the author

Brian Pate helps medical device companies achieve efficient and FDA regulatory compliant product development to produce higher quality and clinically valued software. He began his career in clinical research in 1985 with the Department of Anesthesiology at UAB developing closed-loop control systems for the automated delivery of gases and control. In 1990, he made the switch from university research to the medical device industry designing control systems, communication interfaces, user interface, and other software for real-time embedded systems and clinical information systems, working for medical device companies including Johnson & Johnson, Baxter Healthcare, and GE Medical. Today, he is a Partner and the General Manager of Crisis Prevention and Recovery LLC (dba SoftwareCPR®), a general-purpose regulatory consulting firm that is recognized globally for their expertise with standards and national regulations pertaining to medical device, mobile medical app, and HealthIT software. He has taught the AAMI/FDA course on Software Regulation to FDA Reviewers at FDA and is currently the lead faculty for the public version of that course taught annually along with FDA staff. Brian served on the AAMI/FDA TIR working group that created AAMI TIR32 Guidance on the application of ISO 14971 to Software (later superseded by IEC 80002-1). He later served on the original AAMI/FDA working group that created the AAMI TIR45-2012 TIR Guidance on the use of Agile practices in the development of medical device software and is currently the co-chair leading the creation of the 2nd edition of TIR45. He has served as faculty for all offerings of the AAMI/FDA Compliant Use of Agile Methods public course. Brian also served as an instructor for the AAMI Design Controls course. He is also a member of the Underwriters’ Laboratories Standards Technical Panel 5500, Remote Software Updates. He now serves as a member of the AAMI Software Committee.

Cybersecurity Review

Our cybersecurity experts are NESSUS Pro Licensed and can quickly remediate cybersecurity deficiencies with your medical device or digital health software.  Planning, requirements, validation, and submissions – we can assist with all.

Interested in having a conversation?  Email us to arrange a Zoom meeting or call us at +1 781-721-2921.


Corporate Office

15148 Springview St
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN), Canada, and Italy.