This is really not that trivial!
We had our 13485:2016 certification audit a few weeks ago, and already implemented the software validation issue. We wrote a SOP "Validation of QMS software", which includes 3 forms: validation log, validation plan, validation report. On the log we list all software we think can have an impact on the QMS and/or product safety. As we have production/manufacturing outsourced, we have only some software packages on the log.
The log is a spreadsheet with the colums:
- ID number
- Software name/version/date
- Description (what does the software do)
- Failure mode(s) (what could go wrong)
- Validation required (yes/no)
- Rational for validation decision
- Software validation report available (yes/no)
- Software released for everyday use (yes/No)
- Decision made date /by
If validation is required, a validation plan is prepared - how to validate the software. If the validation is finished, the validation report is prepared, and the log is updated.
Currently we have only three different software packages on the log - our QMS is still paper-based, that makes it simple. We have a data logger for a storage room for products (temperature/humidity), excel spreadsheets with home-brewed algorithms, and a statistical software for number needed to treat calculations for clinical study planning.
For excel we use the FDA recommendations (I will write a work instruction for our personnel), the statistical software (G*Power) does not need validation as all algorithms are already validated by the manufacturer (take a look on the manual), and the data retrieval software of the data logger needed validation (is the retrieved logged data similar to the true environmental conditions).
Next year we get an ERP. The manufacturer will validate the software! EXPENSIVE!!! But necessary.
Hope this helps!