FDA Publishes Draft Update for Software Assurance Guidance

Today the Food and Drug Administration published a notice in the Federal Register (87 FR 56059-56061) announcing the availability of a draft update for their Computer Software Assurance for Production and Quality System Software. The guidance is supportive of the requirements of 21 CFR 820.70(i) to “validate computer software for its intended use according to an established protocol.” The final version of this document is intended to supplement the current “General Principles of Software Validation”, superseding Section 6 of that document.

The FDA is soliciting public comments on this draft. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2022-D-0795). Comments should be submitted by November 14^th, 2022.

Commentary

While most hacking of manufacturing control systems does not actually change the software, control system software that contains vulnerabilities that allow unauthorized changes to manufacturing parameters should not be considered ‘fit for purpose’. This guidance does not address trying to identify such vulnerabilities, and that is probably reasonable. What should be included, however, is a process for evaluating post-assurance identification of such vulnerabilities.

Manufacturing organizations are not typically going to be writing code for manufacturing or quality control system software/firmware, so they are not directly responsible for identifying vulnerabilities in that code. Vendors of the software are going to be responsible for receiving reports of vulnerabilities from internal and external researchers and taking such corrective action as is appropriate for those vulnerabilities. What the user/owner is going to be responsible for is deciding if/when changes to the software will be applied to their systems.

The guidance document should address how the user/owner is going to identify the existence of vendor updates to the covered software and what risk assessment process will be used to determine if a given update is necessary and when it should be applied, or if other mitigation measures identified by the vendor are adequate protection to the system as used.