Medical Devices Group

  • Community
  • Webinars
  • Jobs
  • Events
  • Contact
  • Go Premium
« Back to Previous Page
like 19 comments  share
Rob Packard
Ship & Print Your FDA eCopy
March 2016
What are the new requirements for software validation?
2 min reading time

Don’t ever believe what you hear. Instead, look it up. I think the software requirements are minimal in the newly released ISO 13485:2016 standard, but other experts disagree.

In the QSR, software is also covered, and regulatory requirements are included in the scope for ISO 13485:2016. Therefore, you must comply with the following requirements from 21 CFR 820:

21 CFR 820.30(a)(i) – Class I devices automated with computer software are subject to design controls.

21 CFR 820.30(g) – Design validation shall include software validation and risk analysis, where appropriate.

21 CFR 820.70(i) – Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.

21 CFR 802.181(a) – Device master record. The DMR for each type of device shall include, or refer to the location of, device specifications including appropriate drawings, composition, formulation, component specifications and software specifications.

In addition to compliance with regulatory requirements, the ISO 13485:2016 standard includes the following requirements for software:

Clause 4.1.6 – The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software. Records of such activities shall be maintained.

Clause 6.3 – The organization shall document the requirements for the infrastructure needed to achieve conformity to product requirements, prevent product mix-up and ensure orderly handling of product. Infrastructure includes, as appropriate: b) process equipment (both hardware and software);

Clause 7.5.6 – The organization shall document procedures for the validation of the application of computer software used in production and service provision. Such software application…(repeat of boilerplate).

Clause 7.6 – The organization shall document procedures for the validation of the application of computer software used for the monitoring and measurement of requirements. Such software applications…(repeat of boilerplate).

I don’t any of these requirements are really new, but the standard is eliminating any possibility that validation software can be considered optional. If your company has software that is not validated, what should you do? Create a quality plan that includes software validation. The plan should be risk-based. If you have software that affects safety or efficacy, then you need to consider the risk of product already distributed. If there is no effect to safety and efficacy, then the risk-based priority of software validation is low. There is a 3-year transition for the new Standard. Therefore, if it takes a year or two for your company to validate all applicable software that’s ok–unless it affects safety and efficacy.

Does this sound like a major change or a clarification of requirements for software validation?

If you want to learn more about the ISO 13485:2016 requirements, you might be interested in the following webinar training bundle: http://medicaldeviceacademy.com/iso-13485-2016-webinars/.

You might also be interested in my next live webinar on the topic of the design history file (DHF): http://medicaldeviceacademy.com/design-history-file-dhf-webinar-for-21-cfr-820-30j-compliance/.

source: https://www.linkedin.com/groups/2070960/2070960-6121266963978215427

Marked as spam
Posted by Rob Packard
Asked on March 31, 2016 12:00 am
1591 views
  • Follow
  • Unfollow
  • Report spam
like 19 comments  share

Meet your next client here. Join our medical devices group community.

Private answer
Richard Young You are correct, this shouldn't be a major change for most organisations, rather a statement of intent that best practice in this area will actually be actively audited by ISO auditors. It is usually omitted from scrutiny because of lack of understanding.
Marked as spam
like
  • Report spam
Private answer
Dan Brown Robert: i agree that this change is minimal for OEM's, however component suppliers have not previously been required to validate such extraneous software (i.e.: not directly involved in part manufacture or testing). I agree in principle to QMS software validation, but I am appprehensive about the actual implementation. First, unlike the automotive and aerospace industries, there is no clear guidance accepted throughout the medical industry on what should be done and how extensive of a validation is acceptable. In another forum I posted several examples of software now required to be validated but provable to have zero risk to the ultimate patient. Why should my clients bee required to extend any effort to "validate" such appplications running error free for over any number of years prior t this release?
Marked as spam
like
  • Report spam
Private answer
Michael Chellson, RAC It's critical to remember that "Risk" is the operative word. The level of validation must be commensurate with the risk. Not all software has the same level of risk, so the level of validation must be scaled to that level.
Marked as spam
like
  • Report spam
Private answer
Markus Angst In "old Europe" we would rather stay - thanks or due to harmonization - with EN IEC 62304 for device SW/FW, soon-to-come 82304 for standalone SW products, and GAMP5 for manufacturing processes. These are the references to compare ISO 13485:2016 with. not 13485:2003.
Marked as spam
like
  • Report spam
Private answer
Alex Bromberg When did these new requirements become effective? Are you forced to re-validate already validated software to comply with the change in requirements or would this just apply to new software moving forward?
Marked as spam
like
  • Report spam
Private answer
Anil Bhalani That is because just like risk management (ISO 14971), software lifecycle requirements for a device are covered in the standard document EN ISO 62304. FDA software requirements for a device are covered in the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices: Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices. Similarly there are standards and guidance documents for automated process software.
Marked as spam
like
  • Report spam
Private answer
Why aren't you considering ISO 62304?
Marked as spam
like
  • Report spam
Private answer
Hema Lakkaraju Thanks
Marked as spam
like
  • Report spam
Private answer
Edwin Bills, ASQ Fellow, RAC The proper reference is IEC 62304 as it is not an ISO standard but an IEC standard. The clue is in the numbering, 60,000 series are all IEC standards.
Marked as spam
like
  • Report spam
Private answer
Karen Boyd, ASQ CQA I think the changes are significant, with respect to more technologically advanced and/or new devices that incorporate software into, (or in conjunction with), their intended use. Elements of the standard, (as relative government requirements), need to keep in pace with the evolution of devices, as well as remain relevant for those devices that may not undergo technological advancements or change.
Marked as spam
like
  • Report spam
Private answer
Cathy Behrendt IEC 62304 should be used with TIR 80002-1 to assess risk and not just ISO 14971.
Marked as spam
like
  • Report spam
Private answer
Alex Bromberg Anyone have answers to my questions? If so I'd appreciate hearing them.
Thanks.
Marked as spam
like
  • Report spam
Private answer
Marcelo Antunes Also, these requirements are not for software embedded in medical devices, but for software used in the QMS.
Marked as spam
like
  • Report spam
Private answer
Marcelo Antunes For QMS software validation (not embedded software), we are creating IEC 80002-2. It's in the draft stage right now. The revised requirements were created with this document in mind.
Marked as spam
like
  • Report spam
Private answer
Marcelo Antunes For QMS software validation (not embedded software), we are creating IEC 80002-2. It's in the draft stage right now. The new requirements were created with this document in mind.
Marked as spam
like
  • Report spam
Private answer
Dan Brown ISO 13485:2016 was effective March 1, 2016 and must be implemented by certified companies by March 1, 2019. Device OEMs have had to comply with these requirements since around 1996 when the current format of the QSR (21CFR820) became effective. No special re-validation is required, but if you are using software that has never been validated, you will need to conduct some type of validation to prove that it is functioning as intended.
Marked as spam
like
  • Report spam
Private answer
Rob Packard Marcelo is correct that IEC 62304-1 is intended for embedded software that medical device manufacturers develop. ISO 13485:2016 is referring to validation of QMS software, validation of automated equipment, validation of software used for calibration and embedded software for devices. This is why software validation is mentioned in four different clauses. In general, as an auditor I find very few companies (even software companies) that adequately validation software in the three areas outside of embedded software for devices. When I say "adequately", what I mean is...no procedure, no master validation plan and no records of validation.
Marked as spam
like
  • Report spam
Private answer
Rob Packard Thank you to everyone for the active participation in discussion. Tomorrow's announcement will be posted just before my webinar.
Marked as spam
like
  • Report spam
Private answer
Karen Boyd, ASQ CQA My apologies to the group for creating any confusion.
Marked as spam
like
  • Report spam
« Back to Previous Page
Ask a Question
Leave a Comment

We still use LinkedIn to access our site because it’s the only way to “pull in” your LinkedIn photo, name, and hyperlink to your profile page, all vital in building your professional network. When you log in using LinkedIn, you are giving LinkedIn your password, not me. I never see nor store your LinkedIn credentials.

Stay connected with us.

By signing up you are agreeing to our Privacy Policy.

Categories

  • Capital/Investment
    • Business Model
    • Funding
  • Careers
  • Design/Devel
    • Design
    • Development
    • Human Factors
    • Labeling
    • Material Selection
    • R&D
    • Trials and Post-Market
  • Featured
  • Industry
    • Announcements
    • Device Tax
    • Hospital and Health Care
    • Innovation
    • Medtech
  • LinkedIn, etc.
  • Markets
    • Africa
    • Americas
    • Asia
    • Australia
    • Europe
  • Regulating
    • CE Marking
    • EU
    • FDA
    • FDA/EU etc.
    • Notified Bodies
    • Quality
    • Regulatory
  • Selling
    • Distribution
    • Intellectual Property
    • Marketing/Sales
    • Reimbursement
  • Worth bookmarking!
Feature your job here.
logo

Companion to LinkedIn's 350,000 member community

  • Contact
  • Medical Device Marketing
  • In Memoriam
  • Medical Device Conference

The Medical Devices Group   |   Copyright © 2025 Terms, Conditions & Privacy

Medical Devices Group
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.