Welcome to the first in a series of blogs where we will start to break down ISO 13485:2016 (ISO 13485). As someone who has both implemented and audited a Quality Management System (QMS) to the requirements of ISO 13485, the nuance and interpretation of the standards of the various users, from auditors to auditees and everyone in between, never ceases to amaze me.<\/p>\n
This past week, I posted a poll on LinkedIn asking:<\/p>\n
\u201cAs per ISO 13485, is it true or false that a medical device organization that uses spreadsheets is only required to validate spreadsheets that contain calculations?\u201d<\/strong><\/p>\n The results were interesting where 17% believed the statement to be true, versus 83% believing the same statement to be false.\u00a0 A resounding voice from the \u201cfalse camp\u201d!<\/p>\n So, what is the correct answer?<\/p>\n Drum roll please\u2026. the requirement to validate spreadsheets extends beyond only spreadsheets that contain calculations.<\/p>\n Spreadsheets that contain any quality related data, even those without calculations, will be subjected to some level of validation.<\/p>\n The level of validation will depend on the type of quality data captured, and what the spreadsheet is intended to do with that quality data.<\/p>\n But before I explain, let\u2019s explore the various standards, regulations and guidance documents that outline or define the requirements around software validation, and more specifically spreadsheet validation.<\/p>\n The clauses captured throughout Clause 4 of ISO 13485<\/a> are related to the planning phase of the QMS.\u00a0 Clause 4.1.6 makes it a mandatory requirement that organizations have a procedure in place for software validation used in the quality management system.<\/p>\n It is important to recognize that this clause is not only referring to software that are used directly in your QMS, but also any software that is used to support the management system, for example, spreadsheets.<\/p>\n It is also important to know, that when the statement is made to validate spreadsheets, that does not mean to validate the excel software itself, but rather, the spreadsheet.<\/p>\n In addition, clause 7.5.6 \u2013 Validation of processes for production and service provisions also requires organizations to document procedures for the validation of the application of software used in production and service provision.<\/p>\n Importantly, both clause 4.1 6 and clause 7.5.6 specifies that the approach to the validation activities shall be proportionate to the risk associated with the use of the software.\u00a0 It is this risk that determines the level of validation that will be applied to the spreadsheets in use.<\/p>\n Our US based friends are not that different to their ISO 13485 counterparts.<\/p>\n 21 CFR 820.70(i) states that \u201cWhen computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented\u201d<\/em>.<\/p>\n The FDA\u2019s guidance document \u2013 \u201cGeneral Principles of Software Validation\u201d advises that \u201cMany other commercial software applications, such as word processors, spreadsheets, databases, and flowcharting software are used to implement the quality system. All of these applications are subject to the requirement for software validation, but the validation approach used for each application can vary widely\u201d.<\/em><\/p>\n And what about \u201cPart 11\u201d compliance?\u00a0 Well, one should also consider what records need to comply with the FDA Electronic Records and Signature Regulation or 21 CFR Part 11.<\/p>\n Part 11 applies to:<\/p>\n But what does 21 CFR Part 11 say about software validation?<\/p>\n Well, indulge me for but a moment while I break it down.<\/p>\n Firstly, 21 CFR 11.10 states that \u201cPersons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:<\/em><\/p>\n (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records\u201d.<\/em><\/p>\n But what is a closed system I hear you ask.\u00a0 21 CFR Part 11 defines a closed system as \u201can environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system\u201d. <\/em><\/p>\n Phew, don\u2019t worry this will all become clearer now that we have squared away where the standards and regulations define the requirements of software validation.<\/p>\n It is not lost on me that I have strayed beyond ISO 13485 specifically, but it is also stated at Clause 4.1.1 that organizations not only need to maintain effectiveness of their QMS as per the standard, but also those pesky regulatory requirements.<\/p>\n So why not throw you some additional information eh?<\/p>\nISO 13485<\/strong><\/h2>\n
FDA Regulations<\/strong><\/h2>\n
Why Part 11 Compliance Matters for Spreadsheet Validation<\/strong><\/h3>\n
\n
Key Requirements of 21 CFR Part 11 for Software Validation<\/strong><\/h3>\n