IS0 13485:2003 - Validation of the Application of Computer Software

Al Rosen

Staff member
Super Moderator
#11
Linda W said:
ISO-13485 does not require compliance to FDA 21 CFR Part 11 but anyone in the medical device industry must be aware of this requirement and comply. In March of 1997, FDA issued 21 CFR Part 11 regulations that provided criteria for acceptance by FDA of electronic records and signatures as equivalent to paper records and handwritten signatures executed on paper. FDA requires any software product developed or acquired after June 1, 1997 to be subject to this rules. Compliance with FDA regulations is mandatory for all systems or networks that contains records (data) required to provide evidence of compliance to a predicate rule, such as 21 CFR 820 (GMPs for medical devices) that would include CAPA, Complaints, Document Control, etc.

Linda
Not if you are in Ireland as the originator of the first post is. Of course if (s)he intends to market in the US, (s)he must.
 
Elsmar Forum Sponsor
R

rose24m03

#13
software validation (how relate to ISO 13485)

See ISO/TR 14969:2004 (guideline for ISO13485:2003)
# 7.3.4.1 n) and o)
# 7.5.2.1.3
# 7.6.1 and # 7.6.4

Other reference documents to consider:
Good Automated Manufacturing Practice (GAMP) guidelines
21 CFR Part 11 Preamble (issued on 3/20/1997)
Guidance for Industry, Part 11, Electronic Records; Electronic Signatures - Scope and Application (August 2003)
General Principles of Software Validation; Final Guidance for Industry and FDA Staff (issued January 11, 2002)
21 CFR Part 820 - §820.70(i) Automated Processes
Guidance for Industry, FDA Reviewers and Compliance on Off-the-shelf Software Use in Medical Devices (issued September 9, 1999)
 
K

klopfenstein

#14
What about the Harmonized standard EN60601-1-4 ?
This standard applied will fullfilled the requirements of ISO 13485 ?
 
E

EMMET

#15
Re: IS0 13485:2003, Validation of the application of computer software

I have had discussions with external auditors on this many times where the focus was on ISO 13485 exclusively. 21CFR Part 11 is a much tougher requirement to satisfy than the specific ISO 13485 requirements.

To satisfy ISO 13485, a simple inventory and risk assessment of each element of software used in your quality management system (as well as in your manufacturing processes) is necessary.

To help with the risk assessment, although it is not the 'official' terminology. If the software (or records contained there-in) disappeared or gave false info would your process (including processes such as purchasing, production, meeting agreed customer deadlines etc) be adversely affected ?

If the software (or records contained there-in) disappeared or gave false info would your services(including tracking service requirements, meeting customer deadlines, following-up on customer complaints etc) be adversely affected ?

If the answer is YES. Then you need to validate and put in necessary controls(but only for the risks identified e.g.
security, User access,Administrator access, Change control, Authorization approval, Application & data recovery, Virus scanning, Preventive maintenance, User verification of critical operations

Hope this helps.
E
 
O

Old Quality Gal

#16
Re: IS0 13485:2003, Validation of the application of computer software

I have had discussions with external auditors on this many times where the focus was on ISO 13485 exclusively. 21CFR Part 11 is a much tougher requirement to satisfy than the specific ISO 13485 requirements.

To satisfy ISO 13485, a simple inventory and risk assessment of each element of software used in your quality management system (as well as in your manufacturing processes) is necessary.

To help with the risk assessment, although it is not the 'official' terminology. If the software (or records contained there-in) disappeared or gave false info would your process (including processes such as purchasing, production, meeting agreed customer deadlines etc) be adversely affected ?

If the software (or records contained there-in) disappeared or gave false info would your services(including tracking service requirements, meeting customer deadlines, following-up on customer complaints etc) be adversely affected ?

If the answer is YES. Then you need to validate and put in necessary controls(but only for the risks identified e.g.
security, User access,Administrator access, Change control, Authorization approval, Application & data recovery, Virus scanning, Preventive maintenance, User verification of critical operations

Hope this helps.
E
I agree with Emmet. We provide compliance management software for elements such as document control and corrective action all the way to SPC and audit system and training record controls.
I find that our clients are all over the map on what they validate, when and to what extent.
I agree with the interpretation that ISO 13485 really looks for some sort of risk analysis around the software used but 21 CFR part 11 is very different and more proscriptive.
We are audited regularly by our clients and the standards they apply to us make sense and are pretty consistent, heavy emphasis on configuration management, design and test process, training and support etc.
How they actually use our software and to what extent they validate our application varies from client to client.
We provide workbooks for IQ and OQ but how clients use them really varies. I am always perplexed at how two different clients producing pretty much the same items can both adamantly insist their validation approach is an absolute and when you look at them they are very, very different approaches.
We are, to the best of my knowledge, about the only compliance management software company to present to the FDA. That is kind of risky because they publish their impressions in a public docket, good or ill. ( The comments concerning us were pretty favorable, thank goodness!)
I raised the question of very different approaches to compliance and validation with the head of 21 CFR part 11 compliance in the FDA who was sitting in on our presentation. I am from the world of ISO 9001:2000 and TS 16949 and frankly found his answer chilling.
This a paraphrase "The only interpretation that matters is our auditor's based upon the situation and use."
Yikes ! What does that mean? It seems like the old federal justice quote on pornography, "I can't define obscenity but I know it when I see it."
The result for us is we build a sliding scale of compliance into the system. It can be set to be aggressive to modest in terms of controls. We still get a curve from an FDA auditor occasionally who has his or her own take on what is required. This was kind of long winded but I think for me the focus is in the wrong place. Instead of being able to focus on product quality it seems like most of my clients are more focused on FDA interpretation lotto and hoping they make the right choices.
Just my opinion!
 
M

MtlGuy - 2009

#17
Re: IS0 13485:2003, Validation of the application of computer software

Please forgive my ignorance, but I thought 21 CFR Part 11 only applied to the pharmaceutical manufacturing industry. Would Part 11 also apply to medical device manufacturers?

If so, I'm still unclear as to what constitues an electronic record in the FDAs view. In our case, our medical device is a software application. Is the FDA referring to our electronic records that we maintain in the creation of the software or does the FDA want to make sure that our software has safeguards in place to prevent unauthorized use?

- MtlGuy :confused:
 

Al Rosen

Staff member
Super Moderator
#18
Re: IS0 13485:2003, Validation of the application of computer software

Please forgive my ignorance, but I thought 21 CFR Part 11 only applied to the pharmaceutical manufacturing industry. Would Part 11 also apply to medical device manufacturers?

If so, I'm still unclear as to what constitues an electronic record in the FDAs view. In our case, our medical device is a software application. Is the FDA referring to our electronic records that we maintain in the creation of the software or does the FDA want to make sure that our software has safeguards in place to prevent unauthorized use?

- MtlGuy :confused:
Part 11 does apply to medical devices and the records that apply to part 11 are defined in the Guidance documents.
 

Attachments

liuyy

Involved In Discussions
#19
Re: IS0 13485:2003, Validation of the application of computer software

validation of softwares in product:7.3.6
validation of softwares used in production and service:7.5.2.1
validation of softwares used in measurement:7.6
 
J

JohnM

#20
Re: IS0 13485:2003, Validation of the application of computer software

Al,

I noticed that the Guidance for Part 11 in section C subsection 1 that validation is suggested. I also see that the validation guidance you posted is a draft.

Am I to surmize that software validation is suggested, but not required, as there is no official guidance on how to validate the software?

Thanks,

John M.:cool:
 
Thread starter Similar threads Forum Replies Date
S Inspection Parts as saleable goods - IS0 13485 OEM medical device manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 4
Q Gap Analysis - Bringing a smaller subsidiary company up to IS0 9001:2008 standard ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Q Should distributors be also certified to IS0 9001? IATF 16949 - Automotive Quality Systems Standard 16
M IS0 9001 and Health & Safety plus Food Safety Intranet Forms and Guides ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
F Franchises and IS0 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
G ISO 17025 or IS0 9001 Training procedure - Needed ISO 17025 related Discussions 7
K External calibration laboratories - IS0 17025 Equivalents? ISO 17025 related Discussions 19
T Accreditation of In-House Labs to IS0-17025 ISO 17025 related Discussions 4
C Have QS & IS0:1994 need IS0:2000? QS-9000 - American Automotive Manufacturers Standard 1
Ed Panek ISO 13485:2016 Section 5.5.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
ebrahim QMS as per ISO 13485, Clause 4.2 Requirements for regulatory purposes for Medical Devices Authorized Representatives. ISO 13485:2016 - Medical Device Quality Management Systems 3
D ISO 13485 scope (implantable) - Polymers for dental application EU Medical Device Regulations 9
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
A ISO 13485 procedure change and reflect to legacy manufacture items ISO 13485:2016 - Medical Device Quality Management Systems 2
D ISO 13485 & CE Certification for Surgical Gloves CE Marking (Conformité Européene) / CB Scheme 0
S Inventory Listing and ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 3
M ISO 13485:2016 Certification Scope ISO 13485:2016 - Medical Device Quality Management Systems 2
D Reports under change management | ISO 13485:2016 & ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 3
0 To which part of 13485 does this refer? ISO 13485:2016 - Medical Device Quality Management Systems 3
M Scope for ISO 13485 Certification of a Translation Service Provider ISO 13485:2016 - Medical Device Quality Management Systems 17
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
A ISO 13485 Certification for Resin Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 4
A ISO 13485 Sterilization Clause Applicability ISO 13485:2016 - Medical Device Quality Management Systems 7
K ISO 13485 and compliance of electronic signature ISO 13485:2016 - Medical Device Quality Management Systems 5
T ISO 13485 - Assembly instructions written vs. online ISO 13485:2016 - Medical Device Quality Management Systems 5
M ISO 13485:2016 internal audit checklist Medical Device and FDA Regulations and Standards News 5
N 93/42/EEC certification without ISO 13485 EU Medical Device Regulations 3
M How Specific in an ISO 13485:2016 Scope for a Contract Manufacturer ISO 13485:2016 - Medical Device Quality Management Systems 9
A ISO 13485 for Class 1 Medical Device ISO 13485:2016 - Medical Device Quality Management Systems 7
0 ISO 13485:2016 Chapter 8 Integration of the subsections ISO 13485:2016 - Medical Device Quality Management Systems 3
M Change in Constitution / Ownership of firm -------ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
J ODM not 13485-certified ISO 13485:2016 - Medical Device Quality Management Systems 2
Louddogsbark When your 13485:2016 certificate has been pulled ISO 13485:2016 - Medical Device Quality Management Systems 2
E ISO 13485 QMS certification as a Supplier ISO 13485:2016 - Medical Device Quality Management Systems 8
T ISO 13485:2016 Clauses related to process matrix ISO 13485:2016 - Medical Device Quality Management Systems 3
J Can signed agreements over-ride review of every "contract" under ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 2
J Implementing an ISO 13485 QMS Software ISO 13485:2016 - Medical Device Quality Management Systems 6
Q EN ISO 13485:2016/AC:2018 - AC:2018 being stated in the applicable harmonized standard listing Other ISO and International Standards and European Regulations 1
J Leveraging another company's ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
J New Job Position - Achieving ISO 13485 Certification ISO 13485:2016 - Medical Device Quality Management Systems 5
A Scope of ISO 13485 certificate ISO 13485:2016 - Medical Device Quality Management Systems 1
A ASL requirement when the supplier is certified for ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
M ISO 13485-2016 online certification ISO 13485:2016 - Medical Device Quality Management Systems 3
S Thoughts on managing ISO 9001, 13485, IATF 16949 and 17025 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
S Supplier Management ISO 13485: 2016- Which supplier needs to fill in a self assessment form? ISO 13485:2016 - Medical Device Quality Management Systems 6
J Possible to get ISO 13485 certified with only OEM Product? ISO 13485:2016 - Medical Device Quality Management Systems 4
D Definition of equipment for ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
M ISO 13485:2016 Complaint Definition Clarity Customer Complaints 2
D Rules for Paper Forms outside of an eQMS - 3 Questions (ISO 13485) Document Control Systems, Procedures, Forms and Templates 9
S Qualification question - ISO 13485 - Setting up a small lab Reliability Analysis - Predictions, Testing and Standards 2

Similar threads

Top Bottom