Medical Device Makers and Component Suppliers Software Validation Reminder

Written by Rand E. Winters - ASR Senior Auditor on . Posted in ASR Quality & Standards Blog

Medical-device-1Medical device manufacturers will want to review their QMS documents to ensure they are addressing software  validation requirements.

ISO 9001:2008 - and the FDA requirements in 21 CFR 820.30 and 21 CFR 820.70i spell out validation requirements for software design as well software in the production environment.

If your organization is only a component manufacturer, the FDA requirements will probably not impact you. Your customer may insert software validation as a customer specific requirement in their PO or in their customer requirement manual.

Software validation as described in ISO 13485 is nearly identical to the FDA. However, ISO 13485 requires a  documented procedure and clearly calls for validation after changes/upgrades to software.

Two types of software require validation: (1) a custom designed software by your organization that your firm develops and installs in a computer, PLC or other automated device. This software could be used in your manufacturing  environment or sold to a customer. (2) Off-theshelf purchased software or software in a controller that is part of your manufacturing equipment must be validated.

Suppliers of metal or plastic medical device components need to conform to ISO 13485's requirement for software validation. A good place to start is obtaining the FDA guideline book entitled "General Principles of Software Validation; Final Guidance for Industry and FDA staff".

This guide was issued January 11, 2002 and is available as a download from the FDA site at no charge. This guideline document is easy to read and general in nature. It does not mandate anything, but it provides guidance.

Medical-device-2Custom designed software must go through the design planning, verification and validation process. See Element 7.3 of ISO 13485. FDA's guideline document effectively addresses the addition of software design to the existing requirements of product design. This process is covered in Sections 3 through 5 of the FDA guidance document. software. However, they may use or modify an off-the-shelf software package. This software may be purchased inside of an injection  molding machine or a CNC machining center.

Below is guidance information from Section 6 of the FDA guidance document as discussed previously.

"The level of validation effort should be commensurate to the risk posed by the automated process". Example of a risk would be the programming in a CNC machining center. If there were no ongoing inspection or final inspection after the part was made, the risk would be somewhat higher than the normal practice of 1st piece inspection, operator's sample
inspection, and a final inspection prior to packaging of the product.

In most cases, component suppliers do not develop.
Medical-device-3How might validation be conducted? The FDA guidance document (6.2) provides a good plan for validation of purchased software:
  1. Document requirements for system performance, quality, error handling, startup, shutdown, security, etc.
  2. Identify any safety related functions or features, such as sensors, alarms, interlock, logical processing steps, or command sequences
  3. Define objective criteria for determining acceptable performance.
This validation could be as simple as a performance test of the equipment meeting criteria specified by the supplier and/or your organization. What is the next step after a review of the guidance documents?

ISO 13485 firms will want to review their documented procedure for software validation to ensure it addresses new  software, software changes, and the requirement of maintaining records. This segment of ISO 13485 provides guidance but does not mandate a specific validation method.

Transfer your certificate to ASR

We make it easy,
and affordable.

  1. Contact Us
  2. ASR Review
  3. Legal Documents / Approval
  4. Transfer

News Delivered to Your Inbox

Standards of Interest:

Latest Poll

How do you train your employees?


  • IATF 16949
  • Intl. Automotive Task Force
  • BS 25999
  • OHSAS 18001

Medical Devices

  • ISO 13485
  • Product Safety
  • Device Recalls
  • Emergency Situations


  • AS9100
  • AS9110
  • AS9120
  • SAE Technical Standards


  • ISO 14001
  • EPA Regulations
  • EMS Tools
  • Emergency Preparedness