Medical device manufacturers will want to review their QMS documents to ensure they are addressing software validation requirements.
ISO 9001:2008 -188.8.131.52 and the FDA requirements in 21 CFR 820.30 and 21 CFR 820.70i spell out validation requirements for software design as well software in the production environment.
If your organization is only a component manufacturer, the FDA requirements will probably not impact you. Your customer may insert software validation as a customer specific requirement in their PO or in their customer requirement manual.
Software validation as described in ISO 13485 is nearly identical to the FDA. However, ISO 13485 requires a documented procedure and clearly calls for validation after changes/upgrades to software.
Two types of software require validation: (1) a custom designed software by your organization that your firm develops and installs in a computer, PLC or other automated device. This software could be used in your manufacturing environment or sold to a customer. (2) Off-theshelf purchased software or software in a controller that is part of your manufacturing equipment must be validated.
Suppliers of metal or plastic medical device components need to conform to ISO 13485's requirement for software validation. A good place to start is obtaining the FDA guideline book entitled "General Principles of Software Validation; Final Guidance for Industry and FDA staff".
This guide was issued January 11, 2002 and is available as a download from the FDA site at no charge. This guideline document is easy to read and general in nature. It does not mandate anything, but it provides guidance.
Custom designed software must go through the design planning, verification and validation process. See Element 7.3 of ISO 13485. FDA's guideline document effectively addresses the addition of software design to the existing requirements of product design. This process is covered in Sections 3 through 5 of the FDA guidance document. software. However, they may use or modify an off-the-shelf software package. This software may be purchased inside of an injection molding machine or a CNC machining center.
Below is guidance information from Section 6 of the FDA guidance document as discussed previously.
"The level of validation effort should be commensurate to the risk posed by the automated process". Example of a risk would be the programming in a CNC machining center. If there were no ongoing inspection or final inspection after the part was made, the risk would be somewhat higher than the normal practice of 1st piece inspection, operator's sample
inspection, and a final inspection prior to packaging of the product.
In most cases, component suppliers do not develop.
How might validation be conducted? The FDA guidance document (6.2) provides a good plan for validation of purchased software:
- Document requirements for system performance, quality, error handling, startup, shutdown, security, etc.
- Identify any safety related functions or features, such as sensors, alarms, interlock, logical processing steps, or command sequences
- Define objective criteria for determining acceptable performance.
ISO 13485 firms will want to review their documented procedure for software validation to ensure it addresses new software, software changes, and the requirement of maintaining records. This segment of ISO 13485 provides guidance but does not mandate a specific validation method.