ID: lorem ipsum dolor
The purpose of this SOP is to describe the process for validation of computer and/or software systems to be used for product or organizational processes with a potential impact on the organization's quality management system or performance and safety of medical products produced by the organization.
This covers software used for production and service provision as defined by ISO 13485:2016 4.1.6, 7.5.6, and 7.6, ISO/TR 80002-2:2017, GAMP5 methodology, and 21 CFR Part 11 compliance requirements, and MDR 2017/745, and IVDR 2017/746.
In order to determine if a software is in scope for the quality management system, a high level of definition of the process and use of the software should be considered first. The two criteria should be considered for qualification of software for validation related to the quality management system:
If either criterion is considered true for the software, then it shall be validated within scope of this SOP.
Some software may contain only limited functionalities that fall within the medical device regulatory requirements. In this case, an analysis shall be performed to determine which parts of the software are considered to be in scope and which parts are not in scope. The software shall be validated only for the parts that are in scope.
The organizations will validate any processes for production and service provision where the resulting output cannot be or is not verified by subsequent monitoring or measurement and, as a consequence, deficiencies become apparent only after the product is in use or the service has been delivered. If the software does not meet these criteria, it is not subject to validation.
The software may be categorized according to GAMP5 guidelines to determine the appropriate level of validation effort. The categories are as follows:
The categorization will help in determining the computer system validation (CSV) approach and the extent of documentation required.
Before proceeding with the validation of non-medical device software, a risk assessment should be conducted to determine the level of validation required. The risk assessment should consider the following factors:
Based on the risk assessment, categorize the software into one of the following validation levels:
The results of the risk assessment should be documented in the Software Validation Form and used to guide the validation planning and execution.
The Software Validation Form shall be filled out for each software system that is subject to validation. The content and rigor of the validation should be determined by the risk associated with the software.
The stages of the validation process are Define, Implement, Test, Deploy and Maintain. The Software Validation Form shall be updated at each stage of the validation process. The validation phases are best performed sequentially, but some steps may be performed in parallel if needed
The Define phase of the development phase for software validation begins with providing a description of the software and its intended use. The following information should be considered in the Software Validation Form, as needed:
The Implement phase of the development phase for software validation considers how the software will be implemented into existing infrastructure. The following information should be considered in the Software Validation Form, as needed:
The Test phase of the development phase for software validation considers how the software will be tested to ensure performance and safety. The following information should be considered in the Software Validation Form, as needed:
Testing should be appropriate to the software being validated, the risk associated with the software, and the processes or quality management system aspects it is intended to automate.
The Deploy phase of the development phase for software validation considers how the software will be deployed into the organization. The following information should be considered in the Software Validation Form, as needed:
Deployment should be appropriate to the software being validated, the risk associated with the software, and the processes or quality management system aspects it is intended to automate.
The Maintain phase of the development phase for software validation considers how the software will be maintained and updated. The following information should be considered in the Software Validation Form, as needed:
Maintenance should be appropriate to the software being validated, the risk associated with the software, and the processes or quality management system aspects it is intended to automate. For some well established technologies, maintenance may be minimal or handled externally by that company. For some software, simple user feedback and occasional review of error logs is sufficient.
If the validation process is successful and the software is determined to be able to perform as intended, the software is considered validated and can be added to the List of Validated Software. The Software Validation Form should be saved as a record within the organization's quality management system.
If a software was found unable to meet the validation requirements, the software should not be integrated into the organization's processes or quality management system. The software can be re-evalauted at a later time, if needed. The Software Validation Form identifying the valiation failure and reasons why should be saved as a record within the organization's quality management system.
If new versions of the software released, the quality team will need to review those versions and new features to ensure that validation does not need to be repeated. If the intended use of the software changes then the validation will need to be repeated to account for the new scope of the intended use. As mentioned, the validation should be risk based and therefore if there are unchanged features of the software then the validation does not need to be repeated for those features.
For minor changes to the software that do not affect the intended use of the software or introduce new risks, the validation does not need to be repeated. Instead, the version of the software should be updated in the List of Validated Software prior to deployment.
If software that is validated and used in the organization is planned to be removed from the system, an evaluation should be performed by the quality team to determine the effects of the removal of the software on the organizational processes and the quality management system. Prior to decommissioning the software, appropriate measures should be implemented in order to ensure that the software is removed from the organization in a controlled manner with minimal risk.
New software that would replace the decommissioned software can be implemented simultaneously, although, it would need to undergo the validation procedures as outlined in this SOP prior to being deployed. Decommissioned software should be removed from the List of Validated Software once fully removed from the organization's systems.