ISO 13485 software validation

#1
Hello everyone,

For our company we need to perform a software validation.

We have SOPs and forms in place to document this. We know how to set up the requirements and do a risk assesment.

We are kind of stuck on how deep we need to go with this.
Do we need to say button x in the system should give output Y?
Can we say this system is used to register new suppliers and it's possible to register them in the system.
Or is it possible to say we use the system to register xyz info and it's possible to register the information.

Does anyone have a report as an example we can use as a guide? Or know where I can find one?
I've found some SOP templates, but they are empty templates with things like: Test description, Write a small description here

Thanks in advance!
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
Do we need to say button x in the system should give output Y?
This sounds more like a low level function requirement or implementation detail than a user requirement. I am assuming that this is OOTB software, and that you are not developing software. My basic rules for assurance (validation in the presence of a risk profile):

1) If you can't change the way the button works, there is limited point in challenge testing it (keep reading)
2) If it is critical that the button do the thing you need it to do, you should test it (at the appropriate level)
3) If the button's function is one minor part of an important process, you should be testing the process and not the individual steps.

If you have a risk analysis, apply it to motivate the levels of both your requirements and your testing.

I've had far too many knock-down fights with folks that insist my medical device manufacturer assume a QA role for commercial software products, to the point of absurdity. My guess is that in this case, the button will either be observed to work or it will not in the context of normal use, and that if it somehow doesn't work you can either adjust your test methods ("we were pushing the wrong button" of "the button cannot be pushed because we forgot to fill all fields on the form") or attribute the failure directly to the button ("it was observed that pushing this corner of the button did nothing") even in the absence of a scripted challenge focusing ONLY on the button push and contact the software supplier about any observed anomaly.
 

Ed Panek

QA RA Small Med Dev Company
Staff member
Super Moderator
#3
I can't add much to what Tidge said... but I'll try. Think of risk for the input to the output first.

Validation can be as simple as an MS XLS validation where you just manually perform the mathematics and compare the output to the XLS formula output.

We argue, "Wait for a second, we are not Microsoft QC! We don't need to validate the 'plus' function" So, if it's super simple calculations you may get by but if there are custom made formulas you used, you may be asked to validate you entered the formulae correctly.

Generally, an auditor will ask if you validated a computer operation. The right answer is almost always "yes." From there they can dig into the report but doing that requires a lot of time and understanding of your system so unless it's supercritical or has caused problems in the past, there are bigger fish to fry.

Your report should include what's being validated, why, what would happen if it were not to operate properly, the level of detection built-in, and the actual test results of the system. I recommend "locking down" any systems that were validated so they cant be up[dated with new software or have any settings changed.

For prebuilt systems, some manufacturers have a readily available validation report of the system you purchased.
 

yodon

Staff member
Super Moderator
#4
Great post by @Tidge

This caught my eye:

We know how to set up the requirements and do a risk assesment.
Do your requirements say that "pushing button x gives output y"? Validation should be on YOUR INTENDED USE of the system, not the implementation. If "pushing button x does not give output y" then will a patient be harmed?
 
#5
Validation of software in the software industry is a complex thing. Many auditors (and consultants) seem to believe that 13485 requires the same. It is not true.

You are bound by the definitions in ISO 9000:2015 and ISO 13485:2016, not the definitions and practices of the software industry. See section 3 of ISO 13485:2016.

Validation (ISO 9000:2015)

Confirmation, through the provision of objective evidence, that the requirements for a specific intended use have been fulfilled.

The essence of one of the "Notes to Entry".

Objective evidence needed for validation is the result of tests or other form of determination such as performing alternative calculations or reviewing documents.

Noticed in a quality manual of a 13485 certified printing shop recently:

Validation of production processes has been claimed for exclusion. We have no production processes that cannot be verified.

Validation of software used in production is accomplished by reviewing the proofs of the print job ourselves and obtaining customer approval of the proofs prior to the production run.

ISO 9000:2015 defines validation as the confirmation, through the provision of objective evidence, that the requirements for a specific intended use have been fulfilled.

The note to entry from ISO 9000:2015 definition of validation clarifies that the objective evidence needed for validation is the result of tests or other form of determination such as performing alternative calculations or reviewing documents.

Exclusion following scope statement

There are no production processes that cannot be verified. Validation of software used in production is not excluded.
 
#6
Hi all, we are in process of implementation of ISO13485. We stuck with requirements regarding validation of ERP system. Basically we don't know where to start. Do you guys maybe have any sample of validation protocol and report?
 

Billy Milly

Involved In Discussions
#8
Hi all, we are in process of implementation of ISO13485. We stuck with requirements regarding validation of ERP system. Basically we don't know where to start. Do you guys maybe have any sample of validation protocol and report?
Start with your processes. What do you do in each step? (e.g. receive the order, put it in ERP). Next, what do you want your SW to do in each step? (note the customer, product ID, quantity, delivery date). How could failure in SW affect the patient safety? (in described example, you have different risks for different inputs, e.g. ID is high risk, quantity is mid risk, delivery date is low risk...). This classification will determine "how much" you need to validate (only memo that validation was performed for low risk; one case with "printscreens" for mid risk, three different "printscreens" (cases) for high risk) and on the other hand, determine acceptance criteria (low risk - deviation is acceptable; mid risk - deviation has to be eliminated "soon", high risk - no deviation allowed). Note that those are just exmaples for your understanding, criteria (process risk anlysis procedure) has to be defined by your org.

To sum up, you need:
- step by step process description (useful also for other stuff - audits, training...)
- description of requirements for software (what you need/want the SW to do for you)
- risk analysis (severity) - useful for "overall" risk based approach :)
- criteria for extent of validation, tied to risk severity
- criteria for validation results, tied to risk severity

If you take the (similair) approach as described above, you achieve two important things:
- you validate according to your actual needs (and not everything that SW offers you, just what you use, for the purpose you use it)
- you put more attention to critical stuff and less to marginal areas

Now you can start preparing the procedures :)

Best of luck!
 
Thread starter Similar threads Forum Replies Date
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
J Implementing an ISO 13485 QMS Software ISO 13485:2016 - Medical Device Quality Management Systems 11
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 12
Q Is that any difficulty to do software DFMEA and PFMEA in ISO 13485? ISO 13485:2016 - Medical Device Quality Management Systems 5
R ISO 13485 Software validation procedure and Quality Objectives Monitoring wanted Document Control Systems, Procedures, Forms and Templates 1
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
O ISO 13485 for software company - Selecting suppliers ISO 13485:2016 - Medical Device Quality Management Systems 3
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
P QMS software recommendations for a small ISO 13485 company Quality Manager and Management Related Issues 5
S What is the clause in ISO 13485 for SAP Software Validation? ISO 13485:2016 - Medical Device Quality Management Systems 3
A Process Validation of QMS Software ISO 13485: 2016 Cl. 4.1.6 ISO 13485:2016 - Medical Device Quality Management Systems 26
T ISO 13485 for software outsourcing company ISO 13485:2016 - Medical Device Quality Management Systems 7
A ISO 13485:2016 - Validate our use of software that impacts on the QMS ISO 13485:2016 - Medical Device Quality Management Systems 12
K ISO 13485:2016 Self Certification for Class I (annex 9) Stand-Alone Software? ISO 13485:2016 - Medical Device Quality Management Systems 3
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
S Software Validation – Clause 4.1.6 of ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 12
K ISO 13485 requirements for Stand Alone Medical Device Software (Class II a) ISO 13485:2016 - Medical Device Quality Management Systems 1
F How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304 ISO 13485:2016 - Medical Device Quality Management Systems 1
R ISO 13485 Software Validation Requirements - Help needed ISO 13485:2016 - Medical Device Quality Management Systems 4
K Are ISO 13485 & ISO 14971 applicable to Healthcare IT software? ISO 13485:2016 - Medical Device Quality Management Systems 3
M Problems implementing ISO 13485 for Software-Only Medical Device Manufacturers? ISO 13485:2016 - Medical Device Quality Management Systems 4
F ISO 13485 & FDA Requirements - What kinds of software require validation? ISO 13485:2016 - Medical Device Quality Management Systems 2
T Quality Compliance Software to meet ISO 13485 QMS and 21 CFR 820 Requirements Quality Assurance and Compliance Software Tools and Solutions 3
A ISO 13485, Document Control and Software Validation ISO 13485:2016 - Medical Device Quality Management Systems 9
R Help for implementing ISO 13485 (provision of software to Hospitals) ISO 13485:2016 - Medical Device Quality Management Systems 4
S Nonconforming Material and CAPA ISO 13485 compliant software suggestions? Nonconformance and Corrective Action 7
K Evaluation of software life span - ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 6
G Software for Medical Devices and ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
P Guidance on ISO 13485 Section 7.5.2. about Software Validation ISO 13485:2016 - Medical Device Quality Management Systems 15
K Software validation question - Contract Manufacturer - ISO 13485 implementation ISO 13485:2016 - Medical Device Quality Management Systems 2
J MRP / ERP Software Systems - Small medical laser manufacturing company - ISO 13485 Quality Assurance and Compliance Software Tools and Solutions 6
Q Looking for Best ISO 13485/FDA QSR Quality System Development Software Quality Assurance and Compliance Software Tools and Solutions 4
Brizilla ISO 13485 for a Distributor ISO 13485:2016 - Medical Device Quality Management Systems 7
Q Harmonised Standards (EN ISO 13485 / EN ISO 14971) in MDR (2017/745/EU) ISO 13485:2016 - Medical Device Quality Management Systems 3
J ISO 13485- 8.3.1 Non-conforming material high volume ISO 13485:2016 - Medical Device Quality Management Systems 4
H Contract Manufacturer as Design Owner ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 6
blackholequasar ISO 13485 certification prior to Medical Device Manufacturing... worth it? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Electronic Signatures - Non-Conformance - ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 30
D Notified Bodies - ISO 13485 & MDR Technical Files ISO 13485:2016 - Medical Device Quality Management Systems 3
D Deviations - Where in ISO 13485 deviations are covered? ISO 13485:2016 - Medical Device Quality Management Systems 7
B ISO 13485 Certification ISO 13485:2016 - Medical Device Quality Management Systems 2
J ISO 13485 for Metal Finishing Medical Device and FDA Regulations and Standards News 5
S How to calculate Effective Number of People for ISO 13485 Certification? General Auditing Discussions 2
D Question regarding where "validations" fit according to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
E Any template/ form of Monitoring and Measurement of Processes and product to ISO 13485? ISO 13485:2016 - Medical Device Quality Management Systems 1
H ISO 13485-paragraphs for a SaaS SAMD needed or not? ISO 13485:2016 - Medical Device Quality Management Systems 2
D Question on using audit checklist ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 20

Similar threads

Top Bottom