ISO 13485:2016 - Validate our use of software that impacts on the QMS

#1
:bigwave:

Hi All,

We're in the process of transitioning to the 2016 version of ISO 13485, and one of the biggies for us is the requirement to validate our use of software that impacts on the QMS. I've justified what needs assessing based on risk and need to start writing the validation protocols for it now, but it's something I have absolutely no experience in. I think I could fumble through a new validation but the retrospective need to validate is throwing me completely as we have nothing to work off like a URS etc. Can anyone point me towards any guidance which would give me an idea of what paperwork would be the minimum we need and perhaps a decent way of laying it out? Any suggestions gratefully received.
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
A couple of things:

First, validation is not a one-time event (so just having "paperwork" may be a misconception). Once you complete validation, you need to maintain the system in a validated state throughout its use life. Your validation program (usually captured in a Master Validation Plan) should address the complete life cycle.

Second, the concept of non-product software validation isn't new, it was there for software used in production and service provision. The updated standard does, in fact, expand the scope and emphasis.

You will certainly need to establish requirements for the applications. Just no way to validate something if you can't articulate what its intended use is.

As far as the retrospective aspect goes, you'll just need to generate enough evidence to be able to assert that whatever you have done in the past with the software is valid.

This is a pretty big subject and hard to express in a few lines on a discussion board.
 

kreid

Involved In Discussions
#4
If you do not have a URS for your legacy software, maybe you have a work instruction or training materials on how to use it?
If so you can use this as the input to your validation process, they can be used as a surrogate URS.
 

MC Eistee

Starting to get Involved
#5
I would advise you to read the new ISO/TR 80002-2 that was just published in June this year.
It is a guide for validation in an ISO environment. Nothing really new in there but it might be a good start for you as it comes with some examples and is easy to read.

If you are also FDA regulated you might also look at the link of pkost.

As yodon said, validation is not a one time event. You need to keep it in a validated state. Simple example: Initial validation and then you need to judge each change on the software (also its environment if there is any impact) whether you have to validate again or not.
 

Wolf.K

Involved In Discussions
#7
Hi,

We have the same issue. Our QMS is totally paper-based, that is, all documentation is printed out and filed in folders. But of course we have computers, and our contract manufacturers use software in the production.

So, what I did was:

I wrote a SOP "Validation of QMS software"...

This SOP just requires to write a validation plan, a validation report, and list the validated software in a software validation log (all controlled documents) and statement if it is released for use or not. As applicable, failure modes have to be defined, then a decision has to be made, and the rational for the decision has to be stated.

Validation log
Headlines of the columns:
ID number - Software name, version, date - Description (what is the software used for) - Failure mode (short version of the report) - Validation required? - Rationale (short version from the report) - Software validation report (yes, n/a, not available yet) - Software released for everyday use? (yes/no) - Decision made date / by

So, we fulfill now the requirement of a documented procedure. Is it a good procedure, or a bad one? I don't know, I have never done a software validation before. The new ISO standard did not help me much, though. But: we have a procedure. After the audit I will know, if it is good enough...

I had to think about the software we use and which has to be validated. I came up with the following list:

1. Office. As we print all our documents, so no need to validate. Except:

1.1 Spreadsheet calculations

For our spreadsheet calculations I ask our people who program spreadsheet calculations to write a short report of the algorithm, and test it a bit. That is, plug some (also extreme) values in it and see, if the results are correct. I referenced the FDA requirements/recommendations in the SOP.

2. Our statistics program

We use it for calculating e.g. numbers to treat and else (for our clinical studies). The good thing is: all formulas are already validated by the manufacturer. So, no need for us to validate it.

3. The data retrieval software of our data loggers (to record temperature and humidity)
Our products are manufactured by contract manufacturers and distributed by distributors. But we have a small storage room to store products to be used by our product managers e.g. for clinical trainings. So we have to prove that the sterility of the products is not compromised. SOP Storage Room requires documentation of environmental parameters. We have a data logger and log the parameters. But are the numbers I see on the computer the real ones, or does the import of the data from the logger change the values? So: validation required.

Next year we get a ERP, and I have to learn something about GAMP 5...

Hope this helps!
 

bcoolnow

Starting to get Involved
#8
I am also fairly new to the software validation requirements and may have a large one coming up soon, excel spreadsheets used for final inspection. If these are used for data acquisition during final inspection, does this need to be validated? And if so, to what degree? I would assume that any cell where a calculation is done would need to be proven out, even though the formulas themselves may be pre-proven by the manufacturer. We are contemplating going this route so would like to know what all may be involved.
 

yodon

Staff member
Super Moderator
#9
Short answer is yes.

FDA has posted this: https://www.fda.gov/downloads/scienceresearch/fieldscience/laboratorymanual/ucm092179.pdf

Section 4.5.3 talks about spreadsheet validation and provides a good overview:

General guidance for design and validation of in-house spreadsheets and other numerical
calculation programs includes the following considerations:
• Lock all cells of a spreadsheet, except those needed by the user to input data.
•Make spreadsheets read-only, with password protection, so that only authorized users can alter the spreadsheet.
•Design the spreadsheet so that data outside acceptable conditions is rejected (for example, reject non-numerical inputs).
•Manually verify spreadsheet calculations by entering data at extreme values, as well as at expected values, to assess the ruggedness of the spreadsheet.
•Test the spreadsheet by entering nonsensical data (for example alphabetical inputs, <CTRL> sequences, etc.).
•Keep a permanent record of all cell formulas when the spreadsheet has been developed. Document all changes made to the spreadsheet and control using a system of version numbers with documentation.
•Periodically re-validate spreadsheets. This should include verification of cell formulas and a manual reverification of spreadsheet calculations.
 
Thread starter Similar threads Forum Replies Date
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12
H ISO 13485:2016 Gap Analysis by NB ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
JoCam Difference between Approval and Registration - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
K ISO 13485:2016, Clause 4.2.3 Medical Device File ISO 13485:2016 - Medical Device Quality Management Systems 4
T Document control ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
S Clinical Evaluation - Is this an ISO 13485:2016 requirement? ISO 13485:2016 - Medical Device Quality Management Systems 4
L ISO 13485:2016 Clause 8.4 - Analysis of Audit Observations ISO 13485:2016 - Medical Device Quality Management Systems 8
S When is ISO 13485:2016 6.4.2 Contamination Control appropriate? ISO 13485:2016 - Medical Device Quality Management Systems 11
L Templates for three ISO 13485:2016 SOPs ISO 13485:2016 - Medical Device Quality Management Systems 8
C What falls under the 'Customer Property' according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 10
M Is it possible to get iso 13485:2016 certified as a one man band ISO 13485:2016 - Medical Device Quality Management Systems 1
F ISO 13485:2016 Quality Policy Requirements Other ISO and International Standards and European Regulations 3
M Contract Manufacturers and MDF Responsibilities, ISO 13485:2016, Clause 4.2.3 ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485:2016 sample exam/test ISO 13485:2016 - Medical Device Quality Management Systems 3
M Informational Questionário – Análise crítica sistemática – ISO 13485:2016 (Portuguese-only) Medical Device and FDA Regulations and Standards News 0
M Informational ISO 13485:2016 under systematic review Medical Device and FDA Regulations and Standards News 5
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
GStough Informational SN EN ISO 9001:2015 and SN EN ISO 13485:2016 on Same Certificate? Registrars and Notified Bodies 7
E MDSAP Audit - Our QMS conforms to ISO 13485:2016 and FDA GMP Canada Medical Device Regulations 9
Ronen E Informational ISO 13485:2016 Transition Period End - 1 March 2019 ISO 13485:2016 - Medical Device Quality Management Systems 0
B ISO 9001:2015 vs ISO 13485:2016 for MDR Compliance EU Medical Device Regulations 4
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
C Medical device manufacturing (class 2 ISO 13485:2016) - Is a Deviation allowed? Other Medical Device Related Standards 5
J EU ISO 13485:2016 Recertification Audit - Effect of 10 Minor Nonconformances EU Medical Device Regulations 2
E Template of a Management Review Agenda or Report in compliance with ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 13485:2016 Section 6.2 - Documenting the process for establishing competence ISO 13485:2016 - Medical Device Quality Management Systems 6
Q Any good Checklists for ensuring SOPs cover ISO 13485:2016 and 21CFR 820? ISO 13485:2016 - Medical Device Quality Management Systems 3
H Transition to ISO 13485:2016 together with ISO 9001:2015 ISO 13485:2016 - Medical Device Quality Management Systems 12
B Classes/ Online Training on ISO 13485:2016 and FDA QSR Part 820 ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
D ISO: 13485:2016 Sec. 7.5.2 (C) - Requirements for cleanliness of product or contamination control ISO 13485:2016 - Medical Device Quality Management Systems 2
M Internal Audit Assessment Criteria - ISO 13485:2016 Internal Auditing 21
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
L Does anybody have quiz's available? ISO 13485:2016 Training Material Training - Internal, External, Online and Distance Learning 2
G ISO 13485:2016 and regulatory requirements - Contract Manufacturing ISO 13485:2016 - Medical Device Quality Management Systems 22
S ISO 13485:2016 and GDRP EU 2016/679 ISO 13485:2016 - Medical Device Quality Management Systems 5
JoshuaFroud Interpretation of Clause 5.5.2 in ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 2
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
A ISO 13485:2016 Applicable regulatory requirements ISO 13485:2016 - Medical Device Quality Management Systems 2
R ISO 13485:2016 Registration - NC on full cycle of internal audits ISO 13485:2016 - Medical Device Quality Management Systems 7
C Will anyone please share training material for ISO:13485:2016 for best practices Training - Internal, External, Online and Distance Learning 0
T ISO 13485: 2016 Internal Audit - Is sampling on projects allowed? ISO 13485:2016 - Medical Device Quality Management Systems 6
D Where I can find an ISO 13485:2016 Audit Schedule example? ISO 13485:2016 - Medical Device Quality Management Systems 4
S What records are required to show compliance to ISO 13485:2016? ISO 13485:2016 - Medical Device Quality Management Systems 1
B Non Applications in ISO 13485:2016 for component contract manufacturers ISO 13485:2016 - Medical Device Quality Management Systems 2

Similar threads

Top Bottom