Nowadays, automation and information systems appear at every stage of the implementation and process management of production processes. The software, which is a fundamental part of these systems, not only ensures the fulfilment of system functions but also makes the process traceable by producing data about the processes. It is of great importance to verify that the software functions are fully and correctly performed in these systems, which have a direct impact on product quality and safety. For this reason, software validation activities should be carried out, software functions should be tested, and it should be verified that the process controls are available and sufficient to ensure product quality and data integrity in addition to product safety.
In the EN ISO 13485: 2016 and FDA 21 CFR 820.70,it is stated that the computerized systems and software that provide production and process controls should be validated. It should be noted that in automation systems, software is an integral part of hardware and directly impacts its functions. It should be ensured that the software works correctly, is configured for the purpose, and appropriate security measures and controls are provided against changes in the software that will affect the product quality.
Similarly, ISO 13485:2016 emphasizes the need for software validation of quality management systems. All information systems critical to the product should be validated in the facilities. Accurate, understandable and clear documentation of the Computerized System Validation (CSV) work is extremely important. Documentation should accurately represent validation activities and provide sufficient evidence.
When production facilities are in question, a wide variety of systems is encountered. Because of this diversity, effective and sustainable planning of validation activities is of great importance. With a risk-based approach, validation processes can be carried out appropriately, effectively and at a low cost.ISO 14971:2019 provides guidance on effective risk management on systems by evaluating the impact of each software on product quality and patient health with a risk-based approach.
Some examples of such software and systems are listed below:
- Infusion pump rate determination software
- picture archiving and communications software (PACS)
- Image processing software
- Standalone applications that collect remote patient data for expert evaluation
- Smartphone applications for medical use (ECG, ophthalmic evaluation etc.)
- Radiation therapy planning software
- Radiotherapy measurement software
- Applications that collect and program data from active implantable devices
- Electronic Quality Management Systems
- Production machines
- Environmental conditions monitoring and control systems
- Analytical devices in laboratories
- Warehouse management systems
- Modules of enterprise resource planning systems that affect product quality
ISO/TR 80002-2, on the other hand, provides a roadmap for the application of the risk-based validation approach to the production and quality systems used in the production of medical devices. This guide sets out the principles on how to perform validation planning for each phase, taking into account the life cycle of software design, development, use, and deprecation.
One way to effectively plan on-site validation activities is to classify software to identify appropriate validation activities. The software can be classified in different approaches according to the hardware they work with (PLC, PC, Network etc.), complexity level, and type of supply (standard/development). Regarding the implementation of validation activities, a classification methodology is given in the GAMP5 manual. This guide provides a risk-based validation approach for software and sheds light on making appropriate validation choices for systems.
An important stage of software validation activities is the testing of software functions. The scope of the tests to be performed should be determined for each system according to the software class, the intended use of the system, and the anticipated risks. In addition to the software functions, the correct structuring of the usage configurations, data integrity criteria and system security tests should also be included in the scope. Moreover, controls and procedures should be established for the use of software, ensuring its security and regulating the life cycle of data. Thus, it is ensured that the valid status will continue throughout the life of the system, not just at the time of the tests.
