top of page
Search

What Level of Software Validation Evidence Is FDA Looking For in 2025?

  • Jun 5
  • 2 min read

TL;DR:


FDA’s 2025 guidance mandates risk-based, documented V&V for SaMD: include unit and integration tests, system-level validation, automated regression checks, code-coverage reports (≥ 80 % for critical modules, ≥ 60 % overall), traceable test cases aligned to hazards, and a continuous validation plan embedded in your eSTAR or 510(k)/De Novo package.


What Level of Software Validation Evidence Is FDA Looking For in 2025?


Why Software Validation Evidence Is Critical


Recent FDA Q4 2024 warning letters highlighted “demonstrable test depth” as a key deficiency in SaMD submissions—insufficient evidence led to Additional Information (AI) requests and 3–6 month delays.


FDA expects your validation to be risk-based (tied to IEC 62304 and ISO 14971) and auditable. Without a clear V&V package, reviewers cannot verify that you’ve mitigated hazards or confirmed software performance, stalling your clearance.





Key 2025 Validation Expectations


1. Risk-Based Test Plan


  • Link every test case to a hazard (per ISO 14971).

  • Prioritize DSF-critical functions (IMDRF III–IV).

  • Document acceptance criteria for each test.


2. Unit & Integration Testing


  • Provide unit-test scripts (with pass/fail logs).

  • Show integration tests between modules and external interfaces (e.g., APIs).

  • Include screenshots or logs demonstrating successful execution.


3. System-Level & Clinical Simulation


  • Simulate real-world scenarios (e.g., noisy signals, edge-case inputs).

  • Capture system logs and outputs for 10–20 simulated use cases.

  • Demonstrate continuous availability (e.g., 99 % uptime over a 48-hr run).


4. Automated Regression Testing


  • Integrate CI/CD tools (Jenkins, GitHub Actions) to run regression suites on every commit.

  • Provide code-coverage reports: ≥ 80 % for critical modules and ≥ 60 % overall.

  • Show badge or summary of coverage reports.


5. Validation Reporting & Audit Trail


  • Consolidate all test results, defect logs, and traceability matrices into a single “Validation Summary Report.”

  • Include time-stamped build artifacts and electronic signatures (per 21 CFR 11).

  • Ensure each test links back to the corresponding hazard and requirement.




Best Practices & Pro Tips


  • Embed validation in your CI/CD pipeline—don’t leave regression tests for “just before submission.”

  • Use simulation frameworks (e.g., MATLAB/Simulink or Python scripts) to generate realistic clinical data and edge cases.

  • Link validation artifacts to your IEC 62304 traceability matrix (SRS ↔ hazard logs ↔ test cases).

  • Maintain version control for test scripts and reports (Git commit tags matching eSTAR submission).

  • Schedule regression sprints aligned with any major DSF code changes or before each formal FDA filing.





FAQ


What code coverage percentage does FDA expect?≥ 80% for critical modules, ≥ 60% overall. 

Include HTML or badge-based reports.


Do I need external validation for system-level tests?

Not required, but independent test labs can strengthen your case.


How often should I run regression tests?

Ideally on every commit during development, and before major submissions.


 
 

Never miss an update

Thanks for signing up!!

bottom of page