ISO 13485 Validation and CAR Requirements

rvanelli

Involved In Discussions
#1
We have been 13485 certified for 6 years. We just had an third party auditor specify that we have to validate all software we use include our sharenet webpage as well as our corporate required training software.

This surprised us completely since we have never been asked this before.

Then the same auditor, while checking CAR's, picked an open CAR and wanted to see proof that actions had been taken even though the process was not complete or verified for effectiveness.

Is this out of the ordinary or typical of what to expect from an auditor?
 
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
We have been 13485 certified for 6 years. We just had an third party auditor specify that we have to validate all software we use include our sharenet webpage as well as our corporate required training software.

This surprised us completely since we have never been asked this before.

Then the same auditor, while checking CAR's, picked an open CAR and wanted to see proof that actions had been taken even though the process was not complete or verified for effectiveness.

Is this out of the ordinary or typical of what to expect from an auditor?
Hi,

ISO 13485:2003, s. 7.5.2.1 says:

The organization shall establish documented procedures for the validation of the application of computer software (and changes to such software and/or its application) for production and service provision that affect the ability of the product to conform to specified requirements. Such software applications shall be validated prior to initial use.
If your sharenet webpage and corporate training software can affect the ability of your products to conform to specified requirements, they need to be validated.

Regarding the CAR, it depends on the timeline - was the response timely? Were the actions in line with stated response plans, including stated timeline?

Cheers,
Ronen.
 

rvanelli

Involved In Discussions
#3
Rohen,

thanks for the response. The CAR was written on 5-4-15. Actions taken on 5-12-15. Verification to be 5-29-15.

Regarding the software, it can be argued that any software used, including Word and Excel, can affect the ability of your products to conform to specified requirements.

This auditor didn't even read the scope of the audit in the opening meeting.

Thanks again for your comments.
 

yodon

Staff member
Super Moderator
#4
Regarding the software, Ronen's right, of course, if it can affect 'quality' then it should be validated. And it's not the auditor's responsibility to make that call. What I've done to address this is to create a Validation Master Plan to establish (risk-based) criteria for determining if the software requires validation (and to the extent necessary). I then took inventory of all software used and used the VMP to provide the rationale for what's validated and what's not. May sound a bit complicated but it's just a couple of pages, really. Then when the auditor asks, you can point him to the rationale (or validation).

So when you say that Word could arguably affect quality, you're absolutely right. But our justification for NOT validating it is that the outputs are fully verified through the approval process and thus the tools themselves don't require validation. (You might have noticed that I didn't mention Excel - spreadsheet validation is a whole separate discussion - but suffice to say that we used a similar argument to not validate Excel - the tool - but likely have to validate any particular spreadsheet.)
 

kreid

Involved In Discussions
#5
I am going through this type of activity now and I think Yodon has described the situation very well.

The point that is easy to overlook is the 'fully verified through...' another process. So if the output your software is V&V'd elsewhere then the software itself does not need any further V&V activity.

There are situations where approach this might be considered a little simplistic, but I would go with it and then you have a defendable position.
 
T

treesei

#6
The CAR was written on 5-4-15. Actions taken on 5-12-15. Verification to be 5-29-15.


Thanks again for your comments.
Regarding the CAR, it was open on 5/4, actions taken on 5/12, the OP was 5/20, the date of audit was unknown but before 5/20. So depending on when the audit occurred, it is possible that the auditor wanted to see some evidence that this open CAR was moving forward rather than sitting there. It is hard to tell from the OP.
 

Ronen E

Problem Solver
Staff member
Moderator
#7
Regarding the CAR, it was open on 5/4, actions taken on 5/12, the OP was 5/20, the date of audit was unknown but before 5/20. So depending on when the audit occurred, it is possible that the auditor wanted to see some evidence that this open CAR was moving forward rather than sitting there. It is hard to tell from the OP.
The auditor should have granted them a bit more leeway IMO. If the audit was after May 12, there already was an indication that something is being done so it wasn't "just sitting there" (perhaps there was also an indication that verification is planned within 2.5 weeks from actioning). If it occurred before the 12th, it was 1 week max post opening the CA - not a super-long period for "not taking action". Either way - not such a bad performance, IMO. Should have been barking up another tree!...
 
Thread starter Similar threads Forum Replies Date
D Test summary report example for design validation wanted - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 1
T ISO 13485 - Process validation at critical suppliers ISO 13485:2016 - Medical Device Quality Management Systems 7
S SOP for ISO 13485:2016 Quality related Software validation ISO 13485:2016 - Medical Device Quality Management Systems 9
E Equipment Qualification - IQ/OQ per ISO 13485:2016 section 7.5.6 Process validation ISO 13485:2016 - Medical Device Quality Management Systems 7
D ISO 13485 - Equipment validation , qualification Qualification and Validation (including 21 CFR Part 11) 6
R ISO 13485 Software validation procedure and Quality Objectives Monitoring wanted Document Control Systems, Procedures, Forms and Templates 1
T ISO 13485:2016 - Processes exempt from process validation ISO 13485:2016 - Medical Device Quality Management Systems 12
J ISO 13485 - 7.5.2 cleanliness , 6.4.2 validation of special processes, and 6.4.2 contamination ability to be exempt? ISO 13485:2016 - Medical Device Quality Management Systems 5
T Software Validation Certificate (ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 19
C Software validation (4.1.6 ISO 13485:2016) ISO 13485:2016 - Medical Device Quality Management Systems 20
R CNC Software Validation requirements as per ISO 13485:2016 Other ISO and International Standards and European Regulations 8
S What is the clause in ISO 13485 for SAP Software Validation? ISO 13485:2016 - Medical Device Quality Management Systems 3
A Process Validation of QMS Software ISO 13485: 2016 Cl. 4.1.6 ISO 13485:2016 - Medical Device Quality Management Systems 26
SteveK Software Validation – Clause 4.1.6 of ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 12
C ISO 13485 - Client Specific Validation and CE Marking CE Marking (Conformité Européene) / CB Scheme 3
R ISO 13485 Software Validation Requirements - Help needed ISO 13485:2016 - Medical Device Quality Management Systems 4
F ISO 13485 & FDA Requirements - What kinds of software require validation? ISO 13485:2016 - Medical Device Quality Management Systems 2
C Validation of Sterilization Procedures - ISO 13485 Section 7.5.2.2 Document Control Systems, Procedures, Forms and Templates 4
A ISO 13485, Document Control and Software Validation ISO 13485:2016 - Medical Device Quality Management Systems 9
N Validation of Special Processes - N/A of ISO 13485 Clause 7.5.2 ISO 13485:2016 - Medical Device Quality Management Systems 12
C Process Validation procedure for ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
A Clean Room - Standards or some type of Clean Room Validation - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 17
M Validation Requirements - ISO 13485 / MDD Technical File ISO 13485:2016 - Medical Device Quality Management Systems 7
P Guidance on ISO 13485 Section 7.5.2. about Software Validation ISO 13485:2016 - Medical Device Quality Management Systems 15
A How to do Equipment Validation - Establishing our ISO 13485 QMS procedures Qualification and Validation (including 21 CFR Part 11) 26
T Validation Requirements: ISO 9001 vs. ISO 13485? ISO 13485:2016 - Medical Device Quality Management Systems 10
T Contradictions in Medical Device Verification vs. Validation - ISO 13485 Qualification and Validation (including 21 CFR Part 11) 35
E Contract manufacturer seeking help understanding ISO 13485 Validation requirements ISO 13485:2016 - Medical Device Quality Management Systems 9
R Design Validation and Clinical Evaluations to meet ISO 13485 requirements Design and Development of Products and Processes 3
K Software validation question - Contract Manufacturer - ISO 13485 implementation ISO 13485:2016 - Medical Device Quality Management Systems 2
P ETO Sterilization Validation Process and an NCR - ISO 13485:2003 CMDCAS audit ISO 13485:2016 - Medical Device Quality Management Systems 1
K ISO 13485 clause 8.5.2 'Any necessary CA shall be taken without undue delay' ISO 13485:2016 - Medical Device Quality Management Systems 2
J How much to charge for helping a startup company with initial ISO 13485 certification? Consultants and Consulting 3
J ISO 13485 System 'soft start' - How to best reflect this in initial audits, management review minutes and other records? ISO 13485:2016 - Medical Device Quality Management Systems 3
D ISO 13485 - 7.3.6 Design and development verification - Do most folks create a separate SOP? ISO 13485:2016 - Medical Device Quality Management Systems 4
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9
D ISO 13485 8.2.1 and 8.2.2 - Customer Feedback and Customer Complaints ISO 13485:2016 - Medical Device Quality Management Systems 5
Sravan Manchikanti How to interpret '8.3 Control of nonconforming product' for SaMD device while implementing ISO 13485 & MDSAP ISO 13485:2016 - Medical Device Quality Management Systems 4
M Getting started in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 21
P ISO 13485:2016 MDSAP Certification Fee Survey ISO 13485:2016 - Medical Device Quality Management Systems 6
C SOP Template needed for ISO 13485 6.3 Infrastructure ISO 13485:2016 - Medical Device Quality Management Systems 9
T ISO 13485 8.3 - Non-Conforming Materials - on-line rework or part of process? ISO 13485:2016 - Medical Device Quality Management Systems 11
B Do IFU designs have to be document controlled under ISO 13485? Document Control Systems, Procedures, Forms and Templates 2
H ISO 13485 - Separate Microbiology Audits ISO 13485:2016 - Medical Device Quality Management Systems 3
C Production and Post Production feedback - ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 4
T ISO 13485 - 5.5.1 Responsibility and authority - Small Company Independence ISO 13485:2016 - Medical Device Quality Management Systems 13
O ISO 13485 vs. GMP - Comparison matrix wanted EU Medical Device Regulations 4
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
O In addition to the standard, what other ISO 13485 sources do people recommend? ISO 13485:2016 - Medical Device Quality Management Systems 5
Watchcat ISO 13485 for IVD (In-vitro Diagnostic Device) Manufacturers? ISO 13485:2016 - Medical Device Quality Management Systems 9

Similar threads

Top Bottom