소프트웨어밸리데이션일반원칙 (General Principles of Software Validation: Final Guidance for ) Document issued on: January 11, 2002 This document supersedes the draft document, "General Principles of Software Validation", Version 1.1, dated June 9, 1997. U.S. Department of Health and Human Services Food and Drug Administration Center for Devices and Radiological Health www..co.kr 1
Preface Public Comment Comments and suggestions may be submitted at any time for Agency consideration to Dockets Management Branch, Division of Management Systems and Policy, Office of Human Resources and Management Services, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD, 20852. When submitting comments, please refer to the exact title of this guidance document. Comments may not be acted upon by the Agency until the document is next revised or updated. For questions regarding the use or interpretation of this guidance which involve the Center for Devices and Radiological Health (CDRH), contact John F. Murray at (301) 594-4659 or email jfm@cdrh.fda.gov For questions regarding the use or interpretation of this guidance which involve the Center for Biologics Evaluation and Research (CBER) contact Jerome Davis at (301) 827-6220 or email davis@cber.fda.gov. Additional Copies CDRH Additional copies are available from the Internet at: http://www.fda.gov/cdrh/comp/guidance/938.pdf or via CDRH Facts-On-Demand. In order to receive this document via your fax machine, call the CDRH Facts-On- Demand system at 800-899-0381 or 301-827-0111 from a touch-tone telephone. Press 1 to enter the system. At the second voice prompt, press 1 to order a document. Enter the document number 938 followed by the pound sign (#). Follow the remaining voice prompts to complete your request. CBER Additional copies are available from the Internet at: http://www.fda.gov/cber/guidelines.htm, by writing to CBER, Office of Communication, Training, and Manufacturers' Assistance (HFM-40), 1401 Rockville Pike, Rockville, Maryland 20852-1448, or by telephone request at 1-800-835-5709 or 301-827-1800. www..co.kr 2
[ 목차 ] SECTION 1. 목적 (PURPOSE) SECTION 2. 적용범위 (SCOPE) 2.1. 적용대상 (APPLICABILITY) 2.2. 대상자 (AUDIENCE) 2.3. 최소부담방법 (THE LEAST BURDENSOME APPROACH) 2.4. 소프트웨어 밸리데이션의 법적 기준 (REGULATORY REQUIREMENTS FOR SOFTWARE VALIDATION) 2.4. QSR과 PMS(QUALITY SYSTEM REGULATION VS PRE-MARKET SUBMISSIONS) SECTION 3. 소프트웨어 밸리데이션의 기초 (CONTEXT FOR SOFTWARE VALIDATION) 3.1. 용어정의 (DEFINITIONS AND TERMINOLOGY) 3.1.1 기준및규격 (Requirements and Specifications) 3.1.2 베리피케이션과밸리데이션 (Verification and Validation) 3.1.3 IQ/OQ/PQ 3.2. 시스템디자인의일부인소프트웨어개발 (SOFTWARE DEVELOPMENT AS PART OF SYSTEM DESIGN) 3.3. 소프트웨어와하드웨어의차이 (SOFTWARE IS DIFFERENT FROM HARDWARE) 3.4. 소프트웨어밸리데이션의혜택 (BENEFITS OF SOFTWARE VALIDATION) 3.5 디자인검토 (DESIGN REVIEW) SECTION 4. 소프트웨어 밸리데이션의 원칙 (PRINCIPLES OF SOFTWARE VALIDATION) 4.1. 기준 (REQUIREMENTS) 4.2. 결함예방 (DEFECT PREVENTION) 4.3. 시간및노력 (TIME AND EFFORT) 4.4. 소프트웨어라이프사이클 (SOFTWARE LIFE CYCLE) 4.5. 계획서 (PLANS) 4.6. 절차문서 (PROCEDURES) 4.7. 변경에 따른 소프트웨어 밸리데이션 (SOFTWARE VALIDATION AFTER A CHANGE) www..co.kr 3
4.8. 밸리데이션범위 (VALIDATION COVERAGE) 4.9. 검토의독립성 (INDEPENDENCE OF REVIEW) 4.10. 유연성과책임 (FLEXIBILITY AND RESPONSIBILITY) SECTION 5. 활동과태스크 (ACTIVITIES AND TASKS) 5.1. 소프트웨어라이프사이클활동 (SOFTWARE LIFE CYCLE ACTIVITIES) 5.2. 대표적인밸리데이션태스크 (TYPICAL TASKS SUPPORTING VALIDATION) 5.2.1. 품질계획 (Quality Planning) 5.2.2. 기준 (Requirements) 5.2.3. 디자인 (Design) 5.2.4. 구성또는코딩 (Construction or Coding) 5.2.5. 소프트웨어개발자의테스트 (Testing by the Software Developer) 5.2.6. 사용자사업장테스트 (User Site Testing) 5.2.7. 유지관리및소프트웨어변경 (Maintenance and Software Changes) SECTION 6. 자동화공정설비및품질시스템소프트웨어밸리데이션 (VALIDATION OF AUTOMATED PROCESS EQUIPMENT AND QUALITY SYSTEM SOFTWARE) 6.1. 어느정도의밸리데이션증거가필요한가 (HOW MUCH VALIDATION EVIDENCE IS NEEDED?) 6.2. 사용자기준규정 (DEFINED USER REQUIREMENTS) 6.3. OTS 소프트웨어및자동화설비의밸리데이션 (VALIDATION OF OFF-THE-SHELF SOFTWARE AND AUTOMATED EQUIPMENT) APPENDIX A 참고문헌 (REFERENCES) FDA 참고문헌 (Food and Drug Administration References) 기타정부발행참고문헌 (Other Government References) 국제기구및국가표준 (International and National Consensus Standards) 생산공정소프트웨어참고문헌 (Production Process Software References) 일반소프트웨어품질참고문헌 (General Software Quality References) APPENDIX B 개발팀 (DEVELOPMENT TEAM) www..co.kr 4
General Principles of Software Validation This document is intended to provide guidance. It represents the Agency s current thinking on this topic. It does not create or confer any rights for or on any person and does not operate to bind Food and Drug Administration (FDA) or the public. An alternative approach may be used if such approach satisfies the requirements of the applicable statutes and regulations. 이문서는가이드라인을제공한다. 이문서는이주제에대한 FDA의방침을제시한다. 이문서는어느누구에게일체의권리를부여하거나인정하지않으며 FDA 또는일반대중을구속하지도않는다. 관련법규에제시된기준을만족시킬수있는다른방법이있다면, 그방법을활용할수도있다. SECTION 1. 목적 (PURPOSE) This guidance outlines general validation principles that the Food and Drug Administration (FDA) considers to be applicable to the validation of medical device software or the validation of software used to design, develop, or manufacture medical devices. This final guidance document, Version 2.0, supersedes the draft document, General Principles of Software Validation, Version 1.1, dated June 9, 1997. 이가이드문서는의료용구소프트웨어의밸리데이션또는의료용구디자인, 개발, 또는제조에사용되는소프트웨어의밸리데이션에적용할수있다고 FDA가생각하는일반밸리데이션원칙을제시한다. 이가이드문서 (Version 2.0) 는 1997년 6월 9일발행된초안문서 (General Principles of Software Validation, Version 1.1)" 를대체한다. SECTION 2. 적용범위 (SCOPE) This guidance describes how certain provisions of the medical device Quality System regulation apply to software and the agency s current approach to evaluating a software validation system. For example, this document lists elements that are acceptable to the FDA for the validation of software; however, it does not list all of the activities and tasks that must, in all instances, be used to comply with the law. 이가이드문서는의료용구 QSR(Quality System Regulation) 의소프트웨어관련조항과 www..co.kr 5
FDA 의소프트웨어밸리데이션시스템평가방법을설명한다. 예를들어 FDA 가인정하는 소프트웨어밸리데이션의필수요소를정리하여제시한다. 하지만모든상황을감안하여 관련법규준수를위해적용해야할모든활동과태스크를제시하고있지는않다. The scope of this guidance is somewhat broader than the scope of validation in the strictest definition of that term. Planning, verification, testing, traceability, configuration management, and many other aspects of good software engineering discussed in this guidance are important activities that together help to support a final conclusion that software is validated. 이가이드문서의적용범위는엄격한의미의밸리데이션보다약간더넓다. 이가이드문서에서설명하고있는 GSE(Good Software Engineering) 의다양한여러부분 ( 기획, 베리피케이션, 테스트, 추적성, 구성관리등 ) 은소프트웨어가밸리데이션되었다는최종결론을함께뒷받침하는중요한활동이다. This guidance recommends an integration of software life cycle management and risk management activities. Based on the intended use and the safety risk associated with the software to be developed, the software developer should determine the specific approach, the combination of techniques to be used, and the level of effort to be applied. While this guidance does not recommend any specific life cycle model or any specific technique or method, it does recommend that software validation and verification activities be conducted throughout the entire software life cycle. 이가이드문서는소프트웨어라이프사이클관리및리스크관리활동의통합을권장한다. 개발예정소프트웨어의목적용도및안전리스크에기초하여, 소프트웨어개발자는구체적인방법, 각종기술의조합, 업무의수준을결정해야한다. 이가이드문서가어떤구체적인라이프사이클모델이나특정기술또는방법을권장하고있지는않지만, 전체소프트웨어라이프사이클에걸쳐소프트웨어밸리데이션과베리피케이션활동을수행해야한다. Where the software is developed by someone other than the device manufacturer (e.g., off-the-shelf software) the software developer may not be directly responsible for compliance with FDA regulations. In that case, the party with regulatory responsibility (i.e., the device manufacturer) needs to assess the adequacy of the off-the-shelf software developer s activities and determine what www..co.kr 6
additional efforts are needed to establish that the software is validated for the device manufacturer s intended use. 의료용구제조업체이외의다른누군가가소프트웨어를개발한다면 ( 예, 기성품 (off-theshelf, OTS) 소프트웨어 ), 소프트웨어개발자는 FDA 규정준수에직접적인책임이없을수있다. 그런경우에 FDA 규정을준수할책임이있는당사자 ( 즉, 의료용구제조업체 ) 는 OTS 소프트웨어개발자의활동이적절한지평가하고, 의료용구제조업체의목적용도를감안해그소프트웨어를밸리데이션하려면어떤추가적인작업을해야하는지결정할필요가있다. 2.1. 적용대상 (APPLICABILITY) This guidance applies to: 이가이드문서의적용대상은다음과같다. Software used as a component, part, or accessory of a medical device; 의료용구의한컴포넌트, 부품, 또는액세서리로사용되는소프트웨어. Software that is itself a medical device (e.g., blood establishment software); 그자체가의료용구인소프트웨어 ( 예, 혈액시설소프트웨어 ). Software used in the production of a device (e.g., programmable logic controllers in manufacturing equipment); and 의료용구생산에사용되는소프트웨어 ( 예, 제조설비의 PLC). Software used in implementation of the device manufacturer's quality system (e.g., software that records and maintains the device history record). 의료용구제조업체의품질시스템구축에사용되는소프트웨어 ( 예, 의료용구 이력기록서 (DHR) 의기록및유지관리에사용되는소프트웨어 ). This document is based on generally recognized software validation principles and, therefore, can be applied to any software. For FDA purposes, this guidance applies to any software related to a regulated medical device, as defined by Section 201(h) of the Federal Food, Drug, and Cosmetic Act (the Act) and by current FDA software and regulatory policy. This document does not specifically identify which software is or is not regulated. 이문서는일반적으로인정되는소프트웨어밸리데이션원칙을기반으로하며, 그러므로 www..co.kr 7
어떤소프트웨어에도적용할수있다. FDA 입장에서이가이드문서는연방식품의약품화장품법 ( 이하 " 법 ") 섹션 201(h) 와 FDA 소프트웨어및규제방침에규정된규제대상의료용구관련소프트웨어에적용된다. 하지만어떤소프트웨어가규제대상인지여부는구체적으로명시하지않는다. 2.2. 대상자 (AUDIENCE) This guidance provides useful information and recommendations to the following individuals: 이가이드문서는다음의자에게유용한정보와권고사항을제공한다. Persons subject to the medical device Quality System regulation 의료용구 QSR 대상인자. Persons responsible for the design, development, or production of medical device software 의료용구소프트웨어디자인, 개발, 또는생산을책임지는자. Persons responsible for the design, development, production, or procurement of automated tools used for the design, development, or manufacture of medical devices or software tools used to implement the quality system itself 품질시스템구축에사용되는소프트웨어도구나의료용구디자인, 개발또는제조에사용되는자동화도구의디자인, 개발, 생산, 또는구매를책임지는자. FDA Investigators FDA 실사자. FDA Compliance Officers FDA 준법감시관. FDA Scientific Reviewers FDA 과학심사관 2.3. 최소부담방법 (THE LEAST BURDENSOME APPROACH) We believe we should consider the least burdensome approach in all areas of medical device regulation. This guidance reflects our careful review of the relevant scientific and legal requirements and what we believe is the least burdensome way www..co.kr 8
for you to comply with those requirements. However, if you believe that an alternative approach would be less burdensome, please contact us so we can consider your point of view. You may send your written comments to the contact person listed in the preface to this guidance or to the CDRH Ombudsman. Comprehensive information on CDRH s Ombudsman, including ways to contact him, can be found on the Internet at: http://www.fda.gov/cdrh/resolvingdisputes/ombudsman.html. 의료용구규제영역전체에걸쳐최소부담방법을고려해야한다고생각한다. 이가이드문서는관련과학적 / 법적기준과이들기준의준수를위한최소부담방법이라고생각하는것을신중하게검토하여개발되었다. 하지만부담이적은다른방법이있다고생각하면, 언제든지 FDA로연락하여검토할수있게하길바란다. 이가이드문서서문에제시된연락처나 CDRH 옴부즈맨 (Ombudsman) 으로의견서를보낼수있다. CDRH 옴부즈맨정보와문의처 : http://www.fda.gov/cdrh/resolvingdisputes/ombudsman.html. 2.4. 소프트웨어밸리데이션의법적기준 (REGULATORY REQUIREMENTS FOR SOFTWARE VALIDATION) The FDA s analysis of 3140 medical device recalls conducted between 1992 and 1998 reveals that 242 of them (7.7%) are attributable to software failures. Of those software related recalls, 192 (or 79%) were caused by software defects that were introduced when changes were made to the software after its initial production and distribution. Software validation and other related good software engineering practices discussed in this guidance are a principal means of avoiding such defects and resultant recalls. 1992년부터 1998년사이에발생한의료용구리콜 3140건을분석한결과, 이가운데 242건 (7.7%) 이소프트웨어이상때문인것으로밝혀졌다. 소프트웨어관련리콜가운데 192건 (79%) 은최초생산및유통이후소프트웨어에가해진변경으로발생한소프트웨어결함때문이었다. 이가이드문서에서설명하고있는소프트웨어밸리데이션및기타관련 GSEP(good software engineering practice) 는그런결함과그에따른리콜을방지하기위한기본적인수단이다. Software validation is a requirement of the Quality System regulation, which was published in the Federal Register on October 7, 1996 and took effect on June 1, 1997. (See Title 21 Code of Federal Regulations (CFR) Part 820, and 61 Federal www..co.kr 9
Register (FR) 52602, respectively.) Validation requirements apply to software used as components in medical devices, to software that is itself a medical device, and to software used in production of the device or in implementation of the device manufacturer's quality system. 소프트웨어밸리데이션은 1996년 10월 7일연방공보 (Federal Register) 에공표되어 1997년 6월 1일발효된 QSR(Quality System Regulation) 에서요구되는기준이다. (21 CFR Part 820 및 61 FR 52602 참조.) 밸리데이션기준은의료용구의컴포넌트로사용되는소프트웨어, 그자체가의료용구인소프트웨어, 그리고의료용구제조업체의품질시스템구축또는의료용구생산에사용되는소프트웨어에적용된다. Unless specifically exempted in a classification regulation, any medical device software product developed after June 1, 1997, regardless of its device class, is subject to applicable design control provisions. (See of 21 CFR 820.30.) This requirement includes the completion of current development projects, all new development projects, and all changes made to existing medical device software. Specific requirements for validation of device software are found in 21 CFR 820.30(g). Other design controls, such as planning, input, verification, and reviews, are required for medical device software. (See 21 CFR 820.30.) The corresponding documented results from these activities can provide additional support for a conclusion that medical device software is validated. 분류규정 (classification regulation) 에따라구체적으로면제된경우가아니면, 의료용구클래스에상관없이 1997년 6월 1일이후개발된모든의료용구소프트웨어제품은해당디자인관리조항의적용대상이된다. (21 CFR 820.30 참조.) 이기준은현개발프로젝트의완료, 모든신규개발프로젝트, 기존의료용구소프트웨어의모든변경을포함한다. 의료용구소프트웨어밸리데이션에대한구체적인기준은 21 CFR 820.30(g) 에제시되어있다. 계획, 입력, 베리피케이션, 검토등기타디자인관리도의료용구소프트웨어에필요하다. (21 CFR 820.30 참조.) 이들활동의결과를문서화하면의료용구소프트웨어가밸리데이션되었다는결론을추가적으로뒷받침할수있다. Any software used to automate any part of the device production process or any part of the quality system must be validated for its intended use, as required by 21 CFR 820.70(i). This requirement applies to any software used to automate device design, testing, component acceptance, manufacturing, labeling, packaging, distribution, complaint handling, or to automate any other aspect of the quality www..co.kr 10
system. 의료용구생산프로세스의일부또는품질시스템의일부를자동화하기위해사용되는모든소프트웨어는목적용도에맞는지밸리데이션해야한다 (21 CFR 820.70(i)). 이기준은의료용구디자인, 테스트, 컴포넌트인수, 제조, 라벨작업, 포장, 유통, 불만처리의자동화또는기타품질시스템부분의자동화에사용되는모든소프트웨어에적용된다. In addition, computer systems used to create, modify, and maintain electronic records and to manage electronic signatures are also subject to the validation requirements. (See 21 CFR 11.10(a).) Such computer systems must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records. 이외에도전자기록서의작성, 변형, 유지관리및전자서명관리에사용되는컴퓨터시스템도밸리데이션기준의대상이된다. (21 CFR 11.10(a) 참조.) 이와같은컴퓨터시스템은정확성, 신뢰성, 목적성능의일관성, 그리고무효또는수정기록의파악능력을밸리데이션해야한다. Software for the above applications may be developed in-house or under contract. However, software is frequently purchased off-the-shelf for a particular intended use. All production and/or quality system software, even if purchased off-the-shelf, should have documented requirements that fully define its intended use, and information against which testing results and other evidence can be compared, to show that the software is validated for its intended use. 상기애플리케이션을위한소프트웨어는자체개발하거나계약에의거하여개발할수있다. 하지만특정용도에맞는기성품 (OTS) 을구매하는경우도많다. 모든생산및 / 또는품질시스템소프트웨어는 OTS 제품을구매하는경우라해도, 목적용도를충분히규정한기준문서와테스트결과및기타증거자료를비교할수있는정보를구비하여, 소프트웨어가목적용도에맞게밸리데이션되었음을보여주어야한다. The use of off-the-shelf software in automated medical devices and in automated manufacturing and quality system operations is increasing. Off-the-shelf software may have many capabilities, only a few of which are needed by the device manufacturer. Device manufacturers are responsible for the adequacy of the software used in their devices, and used to produce devices. When device manufacturers purchase "off-the-shelf'' software, they must ensure that it will www..co.kr 11
perform as intended in their chosen application. For off-the-shelf software used in manufacturing or in the quality system, additional guidance is included in Section 6.3 of this document. For device software, additional useful information may be found in FDA s Guidance for Industry, FDA Reviewers, and Compliance on Off-The- Shelf Software Use in Medical Devices. 자동의료용구및자동제조 / 품질시스템에 OTS 소프트웨어를활용하는경향이점차증가하고있다. OTS 소프트웨어는많은기능을구비하고있을수있지만, 이가운데일부만이의료용구제조업체에게필요하다. 의료용구제조업체는의료용구에사용하는소프트웨어와의료용구생산에사용하는소프트웨어의적절성을책임져야한다. 의료용구제조업체가 OTS 소프트웨어를구매한다면, 실제상황에서그소프트웨어가목적한바의성능을발휘하는지확인해야한다. 제조또는품질시스템에사용되는 OTS 소프트웨어에대한추가적인사항이이문서의섹션 6.3에제시되어있다. 의료용구소프트웨어에대한추가적인정보를 FDA의다른가이드문서 (Guidance for Industry, FDA Reviewers, and Compliance on Off-The-Shelf Software Use in Medical Devices) 에서찾을수있다. 2.4. QSR 과 PMS(QUALITY SYSTEM REGULATION VS PRE-MARKET SUBMISSIONS) This document addresses Quality System regulation issues that involve the implementation of software validation. It provides guidance for the management and control of the software validation process. The management and control of the software validation process should not be confused with any other validation requirements, such as process validation for an automated manufacturing process. 이문서는소프트웨어밸리데이션관련 QSR 사항을설명한다. 소프트웨어밸리데이션프로세스의운영및관리에관한가이드라인을제공한다. 소프트웨어밸리데이션프로세스의운영및관리와기타밸리데이션기준 ( 예, 자동화제조공정의공정밸리데이션 ) 을혼동해서는안된다. Device manufacturers may use the same procedures and records for compliance with quality system and design control requirements, as well as for pre-market submissions to FDA. This document does not cover any specific safety or efficacy issues related to software validation. Design issues and documentation requirements for pre-market submissions of regulated software are not addressed by this document. Specific issues related to safety and efficacy, and the www..co.kr 12
documentation required in pre-market submissions, should be addressed to the Office of Device Evaluation (ODE), Center for Devices and Radiological Health (CDRH) or to the Office of Blood Research and Review, Center for Biologics Evaluation and Research (CBER). See the references in Appendix A for applicable FDA guidance documents for pre-market submissions. 의료용구제조업체는품질시스템및디자인관리기준의준수와 PMS(pre-market submission) 에동일한절차와기록서를활용할수있다. 이문서는소프트웨어밸리데이션관련안전성또는유효성사안은다루지않는다. 규제대상소프트웨어의 PMS를위한디자인및문서기준도대상이아니다. 안전성 / 유효성및 PMS 문서관련사항은 ODE(Office of Device Evaluation), CDRH(Center for Devices and Radiological Health), OBRR(Office of Blood Research and Review), CBER(Center for Biologics Evaluation and Research) 에문의한다. PMS 관련 FDA 가이드문서는부록 A의참고문헌을참조한다. 총 97 페이지입니다. 파일 (Printable PDF) 구입을원하시는분은 @hanmail.net 으로연락주시기 바랍니다. www..co.kr 13