With the transition of many medical device companies to ISO 13485:2016 “Medical Devices – Quality Management Systems – Requirements for regulatory purposes”, it is a challenge for the industry to obtain suitably qualified software validation engineers to fulfil its requirements.
In this blog, our expert Tutor, John Lafferty aims to help you deal with the process of validating software used in the manufacturing/testing of medical devices and software used in the Medical Device Quality Management Systems.
Topics covered in this blog:
1) How to meet the Software Validation Requirements of ISO 13485:2016 – 3 key elements
ISO 13485:2016 Section 4.1.6 “Quality management system, General requirements” and 7.5.6 “Validation of processes for production and service provision” state the following “The organisation shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with the software validation and revalidation shall be proportionate to the risk associated with the use of the software. Records of such activities shall be maintained”. In a nutshell, what does the industry need to do? John Lafferty has broken down the requirements in the following three elements;
1. Software Validation Requirements for ISO 13485:2016
2. Output Documentation
3. Templates Required
Table 1: Software Validation Elements
2) A suggested layout for Documenting Risk within the Master Validation Plan
Figure 1: Suggested layout of documenting risk within the Master Validation Plan or Master register
As per figure 1 above, the risk rating cell can be set up with a drop-down list, such as low, medium or high. Justification for a low risk rating may be, for example, that the software does not affect product or pose any risk to the patient and, as such, the validation output documentation is decreased. The company’s risk rating definitions should be generated using a cross-functional team. Representation from a clinical board may be required if clinical matters are being discussed. When completing the risk assessment on software, consultation with ISO 14971 “Medical devices — Application of risk management to medical devices” and ISO 80002 “Medical device software — Part 2: Validation of software for medical device quality systems” is recommended. The benefit of performing a risk assessment is the outcome, for example, that low risk systems will require minimum validation effort while high-risk systems will have an increased validation effort. The risk assessment becomes the rationale for the validation effort. European Notified Bodies auditing software validation often regard the software risk assessment as the most important element of the validation.
3) How to Categorise the Software used at your Medical Device Company
The GAMP 5 guideline is the easiest model to follow to categorise the software at your facility. The following table outlines the GAMP 5 classification of software and the associated validation effort required:
4) Key Examples of Computer Software used in the Quality Management System
Any software used within the Quality Management System that can affect product conformity or risk to the patient are examples in this case including:
5) Validation of Software used in Manufacturing Processes and Test Equipment
It should not be forgotten that ISO 13485:2016 also requires the validation of software used in manufacturing processes and test equipment. This was also the case in the previous revision of ISO 13485 but software validation in these areas is now more likely to receive auditor attention than in the past in light of the increased focus on software validation.
6) Software Validation of Outsourced Processes
Another thing to consider with the new software validation requirement in ISO 13485:2016 is software validation of outsourced processes. It has been noted at regulatory audits that auditors are more frequently requesting the reference number of software validations of any critical processes that are outsourced by the organisation.
For example, if an organisation chooses to outsource a process e.g. sterilisation, it has been noted that auditors are requesting the device manufacturer to have the reference number of the software validation (if applicable) of the sterilisation process at the device manufacturer site.
This requirement is tied in with section 4.1.5 of ISO 13485:2016 as follows “When the organization chooses to outsource any process that affects product conformity to requirements, it shall monitor and ensure control over such processes. The organisation shall retain responsibility of conformity to this International standard and to customer and application regulatory requirements for outsourced processes. The controls shall be proportionate to the risk involved and the ability of the external party to meet the requirements in accordance with 7.4. The controls shall include written quality agreements”
We deliver training courses in Software Validation and you can learn more and book dates here. This course is delivered virtually so you can complete your training at home or combine remote teams. We also provide In-House training tailored to your individual needs – contact us for a quote anytime.
If you need some assistance with a software validation project, please contact John Lafferty at Northridge Quality & Validation to discuss further.
View all Life Sciences, Medical Devices & Pharma Training Programmes here
Sign up to receive the latest industry and company news direct to your inbox.