Re: IS0 13485:2003, Validation of the application of computer software
I have had discussions with external auditors on this many times where the focus was on ISO 13485 exclusively. 21CFR Part 11 is a much tougher requirement to satisfy than the specific ISO 13485 requirements.
To satisfy ISO 13485, a simple inventory and risk assessment of each element of software used in your quality management system (as well as in your manufacturing processes) is necessary.
To help with the risk assessment, although it is not the 'official' terminology. If the software (or records contained there-in) disappeared or gave false info would your process (including processes such as purchasing, production, meeting agreed customer deadlines etc) be adversely affected ?
If the software (or records contained there-in) disappeared or gave false info would your services(including tracking service requirements, meeting customer deadlines, following-up on customer complaints etc) be adversely affected ?
If the answer is YES. Then you need to validate and put in necessary controls(but only for the risks identified e.g.
security, User access,Administrator access, Change control, Authorization approval, Application & data recovery, Virus scanning, Preventive maintenance, User verification of critical operations
Hope this helps.
E
I agree with Emmet. We provide compliance management software for elements such as document control and corrective action all the way to SPC and audit system and training record controls.
I find that our clients are all over the map on what they validate, when and to what extent.
I agree with the interpretation that ISO 13485 really looks for some sort of risk analysis around the software used but 21 CFR part 11 is very different and more proscriptive.
We are audited regularly by our clients and the standards they apply to us make sense and are pretty consistent, heavy emphasis on configuration management, design and test process, training and support etc.
How they actually use our software and to what extent they validate our application varies from client to client.
We provide workbooks for IQ and OQ but how clients use them really varies. I am always perplexed at how two different clients producing pretty much the same items can both adamantly insist their validation approach is an absolute and when you look at them they are very, very different approaches.
We are, to the best of my knowledge, about the only compliance management software company to present to the FDA. That is kind of risky because they publish their impressions in a public docket, good or ill. ( The comments concerning us were pretty favorable, thank goodness!)
I raised the question of very different approaches to compliance and validation with the head of 21 CFR part 11 compliance in the FDA who was sitting in on our presentation. I am from the world of ISO 9001:2000 and TS 16949 and frankly found his answer chilling.
This a paraphrase "The only interpretation that matters is our auditor's based upon the situation and use."
Yikes ! What does that mean? It seems like the old federal justice quote on pornography, "I can't define obscenity but I know it when I see it."
The result for us is we build a sliding scale of compliance into the system. It can be set to be aggressive to modest in terms of controls. We still get a curve from an FDA auditor occasionally who has his or her own take on what is required. This was kind of long winded but I think for me the focus is in the wrong place. Instead of being able to focus on product quality it seems like most of my clients are more focused on FDA interpretation lotto and hoping they make the right choices.
Just my opinion!