Testing

FDA Software Validation Testing: Guide for Medical Device Software

HelpMeTest

HelpMeTest

6 min read
FDA Software Validation Testing: Guide for Medical Device Software

FDA software validation is one of the most rigorous testing requirements in any industry. Unlike general software quality practices, FDA validation for medical devices creates legal liability — insufficient validation is a regulatory violation that can result in Warning Letters, consent decrees, and market recalls.

This guide covers what FDA software validation actually requires, how it differs from general software testing, and what engineering teams need to implement.

FDA Software Validation vs. General Software Testing

Understanding the distinction is essential before discussing requirements.

General software testing verifies that software does what the specification says. If tests pass, the software is assumed to work.

FDA validation establishes with documented evidence that a specific process consistently produces a product meeting predetermined specifications and quality attributes. The key phrases:

  • Documented evidence: Validation cannot happen without a paper trail. Undocumented testing isn't validation.
  • Consistently produces: Validation shows the system works reliably, not just once.
  • Predetermined specifications: Requirements must exist before validation begins. Validation of requirements you define after seeing the software doesn't count.

For software, FDA uses the terms:

  • Verification: "Have we built the product right?" — Software functions as designed.
  • Validation: "Have we built the right product?" — Software meets intended use and user needs.

Both are required, and both require documentation.

Which Software Is Subject to FDA Validation?

Medical Device Software

Software that is or is part of a medical device (as defined in 21 CFR 201(h)) is regulated. This includes:

  • Software running on physical medical devices (infusion pumps, diagnostic imaging)
  • Software accessories to devices
  • Mobile apps that function as medical devices
  • Software as a Medical Device (SaMD)

Software of Unknown Provenance (SOUP)

Off-the-shelf software incorporated into medical device software (operating systems, databases, libraries) is called SOUP in FDA/IEC 62304 terminology. You don't validate SOUP itself, but you must manage it and understand how failures would impact safety.

What's NOT Regulated

  • Software that aids clinical workflows but doesn't diagnose, treat, or monitor (administrative software)
  • General wellness apps
  • Software for clinical decision support that only displays information and relies on clinician judgment

When in doubt, perform a software function risk assessment to determine regulatory status.

Risk Classification: The Foundation of Everything

FDA validation requirements scale with risk. The FDA's Software-Related Guidance (2022) and IEC 62304 both use risk classification to calibrate validation effort.

FDA Device Classification:

  • Class I: Low risk (e.g., tongue depressors). General controls.
  • Class II: Moderate risk (e.g., blood pressure monitors). 510(k) clearance typically required.
  • Class III: High risk (e.g., pacemakers, implantable devices). PMA approval required.

IEC 62304 Software Safety Classification (used in FDA validation):

  • Class A: No injury or damage to health is possible
  • Class B: Injury is possible but not serious
  • Class C: Death or serious injury is possible

The software safety class determines the required rigor of development and testing activities. Class C software requires the most comprehensive validation.

FDA Validation Framework: The V-Model

FDA software validation follows a V-model structure:

User Needs               →              Validation
    System Requirements  →          System Testing
        Software Requirements →  Integration Testing
            Software Design  → Unit Testing
                               Coding

Each left-side phase has a corresponding right-side testing phase. Every right-side test traces back to a specific left-side requirement.

Critical principle: Every test must trace to a requirement. Every requirement must have a test. If either is missing, the validation is incomplete.

Required Documentation

FDA validation requires a specific set of documents. Missing documents are findings in FDA inspections.

Software Development Plan (SDP)

Documents how software will be developed, including:

  • Software lifecycle model
  • Development environment
  • Configuration management approach
  • Testing strategy and tools
  • Risk management integration

Software Requirements Specification (SRS)

All functional, performance, and safety requirements must be documented before development. Requirements must be:

  • Unambiguous (one interpretation)
  • Testable (can be objectively verified)
  • Traceable (linked to user need)

Vague requirements like "the system shall be responsive" are not valid SRS requirements. "The system shall display results within 2 seconds for 95% of queries" is valid.

Risk Management File (21 CFR 820.30, ISO 14971)

Risk analysis identifying hazards, causes, harms, probabilities, and mitigations. Software-specific risks must be identified and addressed in design.

Risk management is tightly coupled to testing: mitigation measures require verification that they work.

Software Verification and Validation Plan (SVVP)

Documents the testing strategy:

  • What will be tested
  • Testing methods and tools
  • Acceptance criteria
  • Test environment description
  • Roles and responsibilities

Test Protocols and Test Reports

For every test in the plan:

  • Protocol: Specific steps, expected results, acceptance criteria — written before testing
  • Report: Actual results, deviations, pass/fail determination — written during/after testing

Test protocols that are rewritten to match actual results are regulatory fraud.

Traceability Matrix

Links user needs → system requirements → software requirements → design elements → test cases. Demonstrates complete coverage.

A traceability matrix with gaps (requirements without tests, tests without requirements) is a finding.

What to Test in FDA Validation

Functional Testing

Every functional requirement must have at least one test case demonstrating it works. Test cases must include:

  • Specific inputs
  • Step-by-step procedure
  • Expected results (objective, measurable)
  • Acceptance criteria (pass/fail definition)

Boundary and Edge Case Testing

FDA expects testing at requirement boundaries. If a requirement says "the system shall accept values from 1 to 100," test 1, 100, 0, 101, and invalid inputs.

Stress and Performance Testing

For software where performance matters (real-time monitoring, time-sensitive alerts), performance requirements must be verified.

Security Testing

FDA's guidance on cybersecurity (2023 final guidance) requires security testing throughout the development lifecycle. For connected devices:

  • Authentication mechanisms
  • Data encryption
  • Vulnerability assessment
  • Penetration testing

Regression Testing

After any change to validated software, regression testing verifies that unchanged functions still work correctly. FDA requires a documented approach to regression testing that's proportional to the risk and nature of changes.

User Validation Testing (Usability)

For Class II and III devices, human factors validation testing verifies that real users can use the device safely and effectively. This isn't functional testing — it's observational testing with representative users performing representative tasks.

Usability failures that lead to use errors are a significant source of medical device recalls.

Change Control and Re-Validation

Once software is validated, changes require controlled processes. Not all changes require full re-validation, but all changes require documented assessment.

Questions to answer for any change:

  1. What was changed?
  2. Could this change affect validated functions?
  3. What testing is needed to verify the change and confirm no unintended effects?

Levels of testing required by change type:

Change Type Testing Required
Bug fix (no spec change) Regression of affected functions + related areas
New feature (new requirements) Full V&V of new requirements + regression
Infrastructure change (new server, OS version) Environmental qualification + regression
Third-party library update SOUP assessment + targeted regression

Every change must be documented in a change control record before implementation.

Software Version Control Requirements

FDA requires knowing exactly what code was in the product at any point in time. This means:

  • Version control for all code (mandatory, not optional)
  • Release management that ties releases to specific commits/tags
  • Ability to reproduce any released version exactly

For validation, the version being tested must be clearly identified and tied to the test records.

Automated Testing in FDA-Regulated Software

Automated testing is not only allowed but increasingly expected. However, automation tools in a regulated context require their own qualification.

Computer System Validation (CSV) for Test Tools

Automated testing tools (Selenium, Playwright, Robot Framework, etc.) that are used as part of the validation process must themselves be qualified. This doesn't mean full validation, but it does mean:

  • Documented evidence that the tool works as expected for your use
  • Testing of the tool in your specific environment
  • Version control of test scripts
  • Documented maintenance of the tool qualification when versions change

Automated Testing Documentation

Automated test results must meet the same documentation standards as manual test results:

  • Test scripts under version control, identified with the software version tested
  • Test execution logs archived as objective evidence
  • Failures investigated and resolved or risk-assessed

Benefits of Automation in FDA Context

Automated tests can be run deterministically — same inputs, same procedure, same results every time. This is actually advantageous in a regulated context because human variability is a source of procedural deviation.

Common FDA Validation Failures

Test cases written after testing. If the expected result is filled in based on what actually happened (rather than what was specified to happen), the test is invalid.

Missing traceability. Requirements without test cases, test cases without requirements. Both are gaps.

No change control. Software changed after validation without documented assessment of the change's impact and required re-testing.

Insufficient regression. A bug fix is tested in isolation but the broader impact on related functions isn't assessed.

Undocumented deviations. A test was run differently than the protocol specified. If there's no deviation record, the test result is suspect.

Version confusion. Test reports don't clearly identify which version was tested, or the version tested doesn't match the version released.

Getting Started: The Minimum Viable FDA Validation Package

For a new medical device software product starting validation:

  1. Software Development Plan — how you'll build and test the software
  2. Software Requirements Specification — complete, testable, traceable requirements
  3. Risk Management File — hazards, mitigations, residual risk acceptance
  4. Software Verification and Validation Plan — testing strategy and scope
  5. Traceability Matrix — requirements to tests
  6. Test Protocols — written before execution
  7. Test Reports — objective evidence of execution and results
  8. Summary Report — overall validation conclusion

This is the minimum. Higher-risk devices require more.

Conclusion

FDA software validation is rigorous by design — the consequence of insufficiently validated medical software can be patient harm. The documentation requirements exist to create accountability and traceability.

For engineering teams, the key mindset shift is that documentation is the product, not a byproduct. Test results without documentation don't exist from FDA's perspective. A well-run validation process generates documentation naturally from disciplined development practices.

The teams that handle FDA inspection without difficulty are the ones who treat validation as engineering discipline, not regulatory compliance theater. Every requirement has a test. Every test has a result. Every result is documented. Every change is controlled.

For automated testing infrastructure that supports regulated environments — including deterministic test execution, test result archiving, and audit trails — HelpMeTest provides automation capabilities useful for ongoing validation activities.

Read more