FDA Software Validation 2025: What Evidence to Show

In 2025, FDA reviews a risk-based software evidence package per the Device Software Functions (DSF) guidance: choose Basic or Enhanced documentation, supply V&V protocols/results (unit/integration/system as applicable), traceability to hazards/requirements, version history, and unresolved anomalies. AI adds lifecycle docs per the 2025 AI draft, and cyber devices need the 2025 cybersecurity artifacts. eSTAR is required for 510(k) and required for De Novo on Oct 1, 2025.

Why Software Validation Evidence Is Critical

Recent FDA Q4 2024 warning letters highlighted “demonstrable test depth” as a key deficiency in SaMD submissions—insufficient evidence led to Additional Information (AI) requests and 3–6 month delays.

FDA expects your validation to be risk-based (tied to IEC 62304 and ISO 14971) and auditable. Without a clear V&V package, reviewers cannot verify that you’ve mitigated hazards or confirmed software performance, stalling your clearance.

Key 2025 Validation Expectations

1. Risk-Based Test Plan

• Link every test case to a hazard (per ISO 14971).

• Prioritize DSF-critical functions (IMDRF III–IV).

• Document acceptance criteria for each test.

2. Unit & Integration Testing

• Provide unit-test scripts (with pass/fail logs).

• Show integration tests between modules and external interfaces (e.g., APIs).

• Include screenshots or logs demonstrating successful execution.

  
  

3. System-Level & Clinical Simulation

• Simulate real-world scenarios (e.g., noisy signals, edge-case inputs).

• Capture system logs and outputs for 10–20 simulated use cases.

• Demonstrate continuous availability (e.g., 99 % uptime over a 48-hr run).

  
  

4. Automated Regression Testing

• Integrate CI/CD tools (Jenkins, GitHub Actions) to run regression suites on every commit.

• Provide code-coverage reports: ≥ 80 % for critical modules and ≥ 60 % overall.

• Show badge or summary of coverage reports.

  
  

5. Validation Reporting & Audit Trail

• Consolidate all test results, defect logs, and traceability matrices into a single “Validation Summary Report.”

• Include time-stamped build artifacts and electronic signatures (per 21 CFR 11).

• Ensure each test links back to the corresponding hazard and requirement.

Best Practices & Pro Tips

• Embed validation in your CI/CD pipeline—don’t leave regression tests for “just before submission.”

• Use simulation frameworks (e.g., MATLAB/Simulink or Python scripts) to generate realistic clinical data and edge cases.

• Link validation artifacts to your IEC 62304 traceability matrix (SRS ↔ hazard logs ↔ test cases).

• Maintain version control for test scripts and reports (Git commit tags matching eSTAR submission).

• Schedule regression sprints aligned with any major DSF code changes or before each formal FDA filing.

The Fastest Path to Market

No more guesswork. Move from research to a defendable FDA strategy, faster. Backed by FDA sources. Teams report 12 hours saved weekly.

• FDA Product Code Finder, find your code in minutes.

• 510(k) Predicate Intelligence, see likely predicates with 510(k) links.

• Risk and Recalls, scan MAUDE and recall patterns.

• FDA Tests and Standards, map required tests from your code.

• Regulatory Strategy Workspace, pull it into a defendable plan.

👉 Start free at complizen.ai

FAQ

What code coverage percentage does FDA expect?≥ 80% for critical modules, ≥ 60% overall. 

Include HTML or badge-based reports.

Do I need external validation for system-level tests?

Not required, but independent test labs can strengthen your case.

How often should I run regression tests?

Ideally on every commit during development, and before major submissions.