Validation of Software regarding ISO 13485:2016

[Denzel]

Hi! I have a situation, where we use Confluence pages to store all our documents and records, which we use also for Software Validation records. Annually we review all our records and documents, as it written in our Document and Record Control SOP. Regarding the revalidation of the software, can we assert that we conduct this process annually since we review the software records each year? Or should it be every time a new record? Standard is not saying how you should do this, it's saying "The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software."

From standard ISO 13485
4.1.6 The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software. Records of such activities shall be maintained.

 

[yodon]

Annually we review all our records and documents, as it written in our Document and Record Control SOP.

Ugh... you might want to consider changing the Doc Control SOP. What good is an annual review of every record?

can we assert that we conduct this process annually since we review the software records each year?

No, that really has no bearing on the software / use.

Or should it be every time a new record?

Even worse! Seriously, you should only need to re-validate software if you make / get changes to it, change the intended use / use scenarios, etc.

I'm a proponent of the FDAs (draft) guidance on computer software assurance. Pretty practical approaches outlined and enables you to leverage testing done by the provider.

 

[Tidge]

The activity of reviewing records sound like a verification activity. Once the software has been validated: if no changes are being made to the software or its configuration (or its requirements!) there is very little reason to suspect that its validated state has been jeopardized.

Expanding on @yodon comments above: The most important review would not be of the records stored in the QMS but instead of evidence that software has been modified in some way, or that it is being used in a way for which it was not validated.

 

[Denzel]

Thanks for the answer.

I know it was not in a good way done, but we thought that could work

So, we got a nonconformance in this case, which raises to CAPA.

We will handle it, my idea is to use the Jira project, to have all these records. We will add risk to the issues and depending on this risk we will check it, so if Risk is High or Medium, then we will make a revalidation every 3 months. Do you think that could work?

 

[Tidge]

Revalidation every 3 months is extreme, and is probably incorrectly directed effort. What was the text of the non-conformance?

 

[Enternationalist]

@Denzel The way you're describing going about this suggests a deep and troubling lack of understanding of what validation is. Validation is about checking the system works, so that you can trust it to do what it is meant to do, and not have to keep checking every little thing it does.

 

[Denzel]

Revalidation every 3 months is extreme, and is probably incorrectly directed effort. What was the text of the non-conformance?

Non-conformance: Tool validation not fully effective (13485:2016 Cl. 4.1.6) Records of revalidation could not be found. Risk assessment for ZohoDesk could not be found.

 

[Denzel]

@Denzel The way you're describing going about this suggests a deep and troubling lack of understanding of what validation is. Validation is about checking the system works, so that you can trust it to do what it is meant to do, and not have to keep checking every little thing it does.

I added a non-conformance as the previous message. I'm uncertain about the meaning of revalidation in this context.

 

[Enternationalist]

Read 4.1.6. You need to validate the application of the software, and validate it again after any changes to the software or the application. Re-validation is that second part - validating it again after something changes. There is also a list in 7.5.6 of what to document for validation.

Validation is about demonstrating that a process can consistently achieve the planned result.

If you are not sure how to do that, I would spend a few days reading guidance like that linked by yodon and wrapping your head around it, and possibly getting help from somebody in your org who knows what they are doing. Understanding this concept is pretty basic to being effective in quality, so don't skimp on it.

 

[Tidge]

Non-conformance: Tool validation not fully effective (13485:2016 Cl. 4.1.6) Records of revalidation could not be found. Risk assessment for ZohoDesk could not be found.

It sounds to me like the problem is with your process for validating(*1) NPS, not with the specific tool.

The fundamental issue (per the NC) is this:

1. You have no documented evidence if the software needs to be validated (this is the risk assessment)
2. Assuming it needed to be (re)validated, those records must have been lacking/missing

(*1) "Validating" NPS isn't quite necessary... but you need to assess NPS. I'm simplifying a little because it sounds like you are in over your head, and such is not the time for nuance.