What Are ISO 13485:2016 Validation Requirements?

Top seven questions answered

Published: Wednesday, July 12, 2017 - 12:03

With ISO 13485:2016—“Medical devices—Quality management systems—Requirements for regulatory purposes” published and being implemented, many medical device customers are experiencing some uncertainty about the effect that one of the standard’s key changes might have on their business: computer software validation.

Software validation can be an ambiguous subject within the medical device industry, and questions are arising around the associated regulatory and operational obligations for medical device companies following the updated ISO standard.

Here, I address some of the direct questions I am seeing from clients in the medical device industry and hopefully will clarify how software providers, such as ourselves at Ideagen, can support medical device organizations with their transition to ISO 13485:2016 and their validation requirements.

What is validation?

Compliance management is a commitment to proactive, continuous improvement and must be integrated into the culture of a company. A crucial, and often mandatory, part of compliance management is having a validation process to verify that your systems are compliant and function according to specifications. The type of data, decisions, and results imputed and obtained from computer systems can ultimately impact the quality and safety of a product or service. Validation processes can safeguard these outputs.

Validation of computer systems is a requirement within a number of life science industries. Validation is a critical tool used to check that your computer systems are fit for the purpose of your intended use. It ensures the quality of device software and configuration of the software; this is achieved through a number of “checks.” Validation checks that your computer systems “do what you want them to do” and prevent you from doing “things you shouldn’t be able to do.”

Software validation has many commercial benefits; according to the U.S. Food and Drug Administration (FDA), it can increase usability and reliability, resulting in decreased failure rates, fewer recalls, and corrective actions, less risk to patients and users, and reduced liability to manufacturers. In essence, validation should provide evidence of control.

Beyond regulatory compliance, validation, when done properly, can be a long-term cost saver and in conjunction with the appropriate controls can shine a light on potential product issues long before they happen.

Who implements it?

Validation can be difficult and time-consuming, and many companies find the process of validating a system considerably more complicated than implementing the software system itself. The responsibility for implementing and maintaining validation can vary from company to company.

In large organizations, for example, there may be an internal validation department that is responsible for ensuring that the validation requirements within regulations, such as ISO 13485, are met within the organization. However, due to the aforementioned complexity of implementing validation, even large organizations often choose to outsource their validation requirements.

Small and medium-sized companies usually do not have the necessary skills and resources in-house, so validation is often outsourced. It must be remembered, though, that the organization is responsible for any compliance requirements regarding validation, and must stand up to audit and regulatory scrutiny.

One of the key benefits to outsourcing is maintaining the integrity of the validation process. Having an independent service provider validate systems avoids the software provider having any conflict of interest.

Seven questions answered on ISO 13485 validation

1. What software requires validation under ISO 13485? Per Section 4.16 of the standard, this means any application that is being used to support the development of, or maintenance of, a medical device. Any application that falls under those areas requires validation.

The level of software validation required can be determined by adopting a risk-based approach: the higher and more critical the impact and effect of the software, the more intense the validation required. Complex systems such as enterprise resource planning (ERP), electronic quality management systems (eQMS), and laboratory information management systems (LIMS) would require an extensive validation approach.

The manufacturing process for making or maintaining the device will also need to be validated as well due to particular elements that relate to the environment, the equipment used within the process, and the distribution of the device.

2. ISO 13485:2016 states more explicit requirements for software validation for different applications. How does this affect our compliance requirements? ISO 13485 has always implicitly implied that software applications supporting the design, development, and quality management system (QMS) processes should be validated. The standard was updated to stipulate that software systems supporting the QMS now must be validated.

3. Why do I need to validate my eQMS? As well as the potential impact of the eQMS on the product, one of the key changes to ISO 13485 is the clarification that regulatory requirements are now expected to be considered along with what is required by the standard. If you are planning on selling your device in the United States, as an example, 21 CFR Part 820 would require your eQMS to be validated. Hence, ISO 13485 is more harmonized to global regulatory requirements.

4. Does the software provider not validate its own software? Using Ideagen as an example, we take our software delivery process extremely seriously. All versions of our Q-Pulse software are stringently tested before release. However, the validation requirements of ISO 13485 are specific to your intended use of the application and the uniqueness of your configuration. Thus, any software that you decide to use needs to be validated in the context of how it supports your company’s operations, practices, and requirements.

5. Do I have to test all the functions of the software? The simple answer is no. Again, referring Q-Pulse software, our validation partner CompliancePath performs a full third-party independent validation of all available functions. When you are considering buying a software product, the vendor should provide provided with options to suit your specific validation requirements. At Ideagen, we offer a life science validation pack for Q-Pulse, which reduces the validation burden.

6. What does revalidation mean, and when will I be required to do it? Revalidation occurs when an updated version of the software you choose is released and you choose to install it. Typically, revalidation is a short process that simply focuses on new functionality and checks any potential impact on functionality from the previous version.

7. Can a validated eQMS reduce the risk to my business? Yes, validating your eQMS provides an assurance of secure data, audit logs, and increases the integrity of your record keeping and supplier quality processes.

As mentioned earlier, the purpose of this article is to try and answer some of the frequent questions I am faced with on a day-to-day basis from our life science clients. I hope I have answered them. Alternatively, I have also created an informative flier that you can download from our website here.

In the meantime, happy validating!

About The Author

Claire McCluskie

Claire McCluskie has worked within Ideagen’s Life Sciences team for over three years. During that time she has built a deep understanding of the industry demands and requirements, particularly in the topics of validation and data integrity. Aligning her knowledge of the industry and Ideagen’s products and services to the business needs of the industry is a key objective of her role.