What are the Software Validation Requirements of ISO 13485:2016?
What are the Software Validation Requirements of ISO 13485:2016?
Written by John Lafferty and Camel McCrea Kelly
Read Time 7 minutes
With the recent transition of many medical device companies to ISO 13485:2016 “Medical Devices – Quality management systems – Requirements for regulatory purposes”, it is a challenge for the industry to obtain suitably qualified software validation engineers to fulfill its requirements.
In this blog, we aim to help you deal with the process of validating software used in the manufacturing/testing of medical devices and software used in the Medical Device Quality Management Systems.
Topics covered in this blog:
1. How to meet the Software Validation Requirements of ISO 13485:2016
2. A suggested layout of documenting risk within the Master Validation Plan
3. How to Categorise the Software Used at your Medical Device company
4. Examples of computer software used in the Quality Management System
5. Validation of Software Used in Manufacturing Processes and Test Equipment
6. Software Validation of Outsourced Processes
7. Software Validation Assistance/Consultancy from Northridge Quality and Validation
8. Software Validation Training
1) How to meet the Software Validation Requirements of ISO 13485:2016 – 3 elements
ISO 13485:2016 Section 4.1.6 “Quality management system, General requirements” and 7.5.6 “Validation of processes for production and service provision” state the following “The organisation shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with the software validation and revalidation shall be proportionate to the risk associated with the use of the software. Records of such activities shall be maintained”.
In a nutshell, what does the industry need to do? We at Northridge Quality & Validation have broken down the requirements in the following three elements;
1. Software Validation Requirements for ISO 13485:2016
2. Output Documentation
3. Templates Required
Table 1: Software Validation Elements
2) A Suggested Layout for Documenting Risk within the Master Validation Plan
Figure 1: Suggested layout of documenting risk within the Master Validation Plan or Master register
As per figure 1 above, the risk rating cell can be set up with a drop-down list, such as low, medium or high. Justification for a low risk rating may be, for example, that the software does not affect product or pose any risk to the patient and, as such, the validation output documentation is decreased. The company’s risk rating definitions should be generated using a cross-functional team. Representation from a clinical board may be required if clinical matters are being discussed.
When completing the risk assessment on software, consultation with ISO 14971 “Medical devices — Application of risk management to medical devices” and ISO 80002 “Medical device software — Part 2: Validation of software for medical device quality systems” is recommended. The benefit of performing a risk assessment is the outcome, for example, that low risk systems will require minimum validation effort while high-risk systems will have an increased validation effort. The risk assessment becomes the rationale for the validation effort. European Notified Bodies auditing software validation often regard the software risk assessment as the most important element of the validation.
3) How to Categorise the Software Used at your Medical Device company
The GAMP 5 guideline is the easiest model to follow to categorise the software at your facility.
The following table outlines the GAMP 5 classification of software and the associated validation effort required:
4) Examples of computer software used in the Quality Management System
So, what are examples of computer software used in the Quality Management System?
Answer: Any software used within the Quality Management System that can affect product conformity or risk to the patient. The following are a few examples:
• Any software that manages the CAPA System
• Any software that manages the Complaints system
• Any software that manages the Non-Conforming Product System
• Any software that manages the Training and HR System
• Any software that holds product status from e.g. “Quarantine” or “Approved” e.g. ERP Systems
• Any software that performs calculations related to the release of product e.g. Excel spreadsheet
• Any software that performs task related to regulatory reporting
• Any software that manages clinical data
5) Validation of Software Used in Manufacturing Processes and Test Equipment
It should not be forgotten that ISO 13485:2016 also requires the validation of software used in manufacturing processes and test equipment. This was also the case in the previous revision of ISO 13485 but software validation in these areas is now more likely to receive auditor attention than in the past in light of the increased focus on software validation.
6) Software Validation of Outsourced Processes
Another thing to consider with the new software validation requirement in ISO 13485:2016 is software validation of outsourced processes. It has been noted at regulatory audits that auditors are more frequently requesting the reference number of software validations of any critical processes that are outsourced by the organisation.
For example, if an organisation chooses to outsource a process e.g. sterilisation, it has been noted that auditors are requesting the device manufacturer to have the reference number of the software validation (if applicable) of the sterilisation process at the device manufacturer site.
This requirement is tied in with section 4.1.5 of ISO 13485:2016 as follows “When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organisation shall retain responsibility of conformity to this International standard and to customer and application regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements”
7) Software Validation Assistance/Consultancy from Northridge Quality & Validation
If you need some assistance with a software validation project, we can provide hands-on, in-house help at whatever level you require. If you would like to discuss a software validation project, please contact John Lafferty of Northridge Quality & Validation on email@example.com
8) Software Validation Virtual Training
We also give training courses in Software Validation through our training partners SQT Training. This course is delivered virtually so you can complete your training at home.
Course Title: Software Validation
Course Content: The main objectives of this course are to give attendees a grounding in the principles of Software Validation, Computer Systems Validation and the latest requirements for Electronic Records and Electronic Signatures. The course provides an overview of the FDA and European requirements with practical exercises covering the implementation of those requirements. The course covers the application of these requirements to the validation of both computer hardware and software systems used in Manufacturing, QA, Regulatory and the Control of Processes. The course also covers the latest FDA Requirements and Guidance on Electronic Records and Signatures (21 CFR Part 11) and Quality Risk Management as applied to Software Validation and Computer Systems Validation.
About the Authors
is the owner of the Northridge Quality & Validation which provides consultancy to the Medical Device industry.
His specialities include Software Validation, MDSAP, ISO 13485, ISO 14971 and MDR. John is the holder of a Degree in Manufacturing Technology, Certificate in Training & Continuing Education, Certificate in Quality Management.
He has over 25 years’ experience in the medical device and pharmaceutical industry. He was a Senior Manager of a multinational Medical Devices plant where he managed the Quality, Regulatory, Environmental and Health & Safety Management Systems. He has successfully completed numerous consultancy projects with medical device manufacturers in Ireland and throughout Europe.
SQT Training Tutor
Carmel McCrea Kelly
Carmel McCrea Kelly is a Quality Management Consultant with Northridge Quality & Validation
Carmel has the following qualifications: BSc in Quality Management & Technology, Cert Manufacturing Engineering, Training & Continuing Education & Dip Pollution Assessment and Control. She has over 20 years experience in the Medical Device and Pharmaceutical industry. Carmel feels that by combining her consultancy work with training through SQT she is best placed to impart her vast knowledge and experience to those currently working in the industry.
Prior to joining Northridge Quality & Validation, Carmel spent six years as Head of QA and RA of a Medical Device Manufacturing plant where some of her achievements were; gaining certification to ISO 13485: 2016 and 21 CFR Part 820 and gaining CE Mark certification for several active Medical Devices.
Carmel has extensive experience of carrying out software validation projects in the industry over many years and continues to assist companies with these types of projects today. Carmel regards achieving compliance with the EU Medical Devices Regulations (MDR) and maintaining adherence to the Software Validation requirements of ISO 13485: 2016 as being some of the biggest challenges facing Medical Device companies today.
Carmel is also a Life Sciences Tutor with SQT Training.