ISO 13485 Validation and CAR Requirements

rvanelli

Involved In Discussions
We have been 13485 certified for 6 years. We just had an third party auditor specify that we have to validate all software we use include our sharenet webpage as well as our corporate required training software.

This surprised us completely since we have never been asked this before.

Then the same auditor, while checking CAR's, picked an open CAR and wanted to see proof that actions had been taken even though the process was not complete or verified for effectiveness.

Is this out of the ordinary or typical of what to expect from an auditor?
 

Ronen E

Problem Solver
Moderator
We have been 13485 certified for 6 years. We just had an third party auditor specify that we have to validate all software we use include our sharenet webpage as well as our corporate required training software.

This surprised us completely since we have never been asked this before.

Then the same auditor, while checking CAR's, picked an open CAR and wanted to see proof that actions had been taken even though the process was not complete or verified for effectiveness.

Is this out of the ordinary or typical of what to expect from an auditor?

Hi,

ISO 13485:2003, s. 7.5.2.1 says:

The organization shall establish documented procedures for the validation of the application of computer software (and changes to such software and/or its application) for production and service provision that affect the ability of the product to conform to specified requirements. Such software applications shall be validated prior to initial use.

If your sharenet webpage and corporate training software can affect the ability of your products to conform to specified requirements, they need to be validated.

Regarding the CAR, it depends on the timeline - was the response timely? Were the actions in line with stated response plans, including stated timeline?

Cheers,
Ronen.
 

rvanelli

Involved In Discussions
Rohen,

thanks for the response. The CAR was written on 5-4-15. Actions taken on 5-12-15. Verification to be 5-29-15.

Regarding the software, it can be argued that any software used, including Word and Excel, can affect the ability of your products to conform to specified requirements.

This auditor didn't even read the scope of the audit in the opening meeting.

Thanks again for your comments.
 

yodon

Leader
Super Moderator
Regarding the software, Ronen's right, of course, if it can affect 'quality' then it should be validated. And it's not the auditor's responsibility to make that call. What I've done to address this is to create a Validation Master Plan to establish (risk-based) criteria for determining if the software requires validation (and to the extent necessary). I then took inventory of all software used and used the VMP to provide the rationale for what's validated and what's not. May sound a bit complicated but it's just a couple of pages, really. Then when the auditor asks, you can point him to the rationale (or validation).

So when you say that Word could arguably affect quality, you're absolutely right. But our justification for NOT validating it is that the outputs are fully verified through the approval process and thus the tools themselves don't require validation. (You might have noticed that I didn't mention Excel - spreadsheet validation is a whole separate discussion - but suffice to say that we used a similar argument to not validate Excel - the tool - but likely have to validate any particular spreadsheet.)
 

kreid

Involved In Discussions
I am going through this type of activity now and I think Yodon has described the situation very well.

The point that is easy to overlook is the 'fully verified through...' another process. So if the output your software is V&V'd elsewhere then the software itself does not need any further V&V activity.

There are situations where approach this might be considered a little simplistic, but I would go with it and then you have a defendable position.
 
T

treesei

The CAR was written on 5-4-15. Actions taken on 5-12-15. Verification to be 5-29-15.


Thanks again for your comments.

Regarding the CAR, it was open on 5/4, actions taken on 5/12, the OP was 5/20, the date of audit was unknown but before 5/20. So depending on when the audit occurred, it is possible that the auditor wanted to see some evidence that this open CAR was moving forward rather than sitting there. It is hard to tell from the OP.
 

Ronen E

Problem Solver
Moderator
Regarding the CAR, it was open on 5/4, actions taken on 5/12, the OP was 5/20, the date of audit was unknown but before 5/20. So depending on when the audit occurred, it is possible that the auditor wanted to see some evidence that this open CAR was moving forward rather than sitting there. It is hard to tell from the OP.

The auditor should have granted them a bit more leeway IMO. If the audit was after May 12, there already was an indication that something is being done so it wasn't "just sitting there" (perhaps there was also an indication that verification is planned within 2.5 weeks from actioning). If it occurred before the 12th, it was 1 week max post opening the CA - not a super-long period for "not taking action". Either way - not such a bad performance, IMO. Should have been barking up another tree!...
 
Top Bottom