Don’t ever believe what you hear. Instead, look it up. I think the software requirements are minimal in the newly released ISO 13485:2016 standard, but other experts disagree.

In the QSR, software is also covered, and regulatory requirements are included in the scope for ISO 13485:2016. Therefore, you must comply with the following requirements from 21 CFR 820:

21 CFR 820.30(a)(i) – Class I devices automated with computer software are subject to design controls.

21 CFR 820.30(g) – Design validation shall include software validation and risk analysis, where appropriate.

21 CFR 820.70(i) – Automated processes. When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.

21 CFR 802.181(a) – Device master record. The DMR for each type of device shall include, or refer to the location of, device specifications including appropriate drawings, composition, formulation, component specifications and software specifications.

In addition to compliance with regulatory requirements, the ISO 13485:2016 standard includes the following requirements for software:

Clause 4.1.6 – The organization shall document procedures for the validation of the application of computer software used in the quality management system. Such software applications shall be validated prior to initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software. Records of such activities shall be maintained.

Clause 6.3 – The organization shall document the requirements for the infrastructure needed to achieve conformity to product requirements, prevent product mix-up and ensure orderly handling of product. Infrastructure includes, as appropriate: b) process equipment (both hardware and software);

Clause 7.5.6 – The organization shall document procedures for the validation of the application of computer software used in production and service provision. Such software application…(repeat of boilerplate).

Clause 7.6 – The organization shall document procedures for the validation of the application of computer software used for the monitoring and measurement of requirements. Such software applications…(repeat of boilerplate).

I don’t any of these requirements are really new, but the standard is eliminating any possibility that validation software can be considered optional. If your company has software that is not validated, what should you do? Create a quality plan that includes software validation. The plan should be risk-based. If you have software that affects safety or efficacy, then you need to consider the risk of product already distributed. If there is no effect to safety and efficacy, then the risk-based priority of software validation is low. There is a 3-year transition for the new Standard. Therefore, if it takes a year or two for your company to validate all applicable software that’s ok–unless it affects safety and efficacy.

Does this sound like a major change or a clarification of requirements for software validation?

If you want to learn more about the ISO 13485:2016 requirements, you might be interested in the following webinar training bundle: http://medicaldeviceacademy.com/iso-13485-2016-webinars/.

You might also be interested in my next live webinar on the topic of the design history file (DHF): http://medicaldeviceacademy.com/design-history-file-dhf-webinar-for-21-cfr-820-30j-compliance/.

source: https://www.linkedin.com/groups/2070960/2070960-6121266963978215427