Dismiss Notice
You must be a registered member in order to post messages and view/download attached files in this forum.
Click here to register.

Validation of Softwares

Discussion in 'ISO 9001:2015 - Quality Management Systems' started by jamescrockford, Nov 16, 2018.

  1. jamescrockford

    jamescrockford Active Member

    Joined:
    Aug 1, 2017
    Messages:
    69
    Likes Received:
    18
    Trophy Points:
    7
    Hi all,

    Our company is currently 9001 certified but some of our customer have 13485 and we are edging towards it also.

    We have been asked by one of our customers to create a validation master plan for softwares that we use that can affect the product/service we provide e.g. the software used by our support desk.

    Has anyone come across this before? We have been told the validating itself only need to be very basic but need a master plan and procedure for the process.

    Any help would be much appreciated as always.

    J
     
  2. John C. Abnet

    John C. Abnet Well-Known Member

    Joined:
    May 23, 2017
    Messages:
    367
    Likes Received:
    227
    Trophy Points:
    42
    Location:
    Upper Midwest- USA
    Good day @jamescrockford;
    There is indeed a requirement in ISO 13485:2016.
    Specifically clause 4.1.6 states....

    4.1.6 The organization shall document procedures for the validation of the application of computer

    software used in the quality management system. Such software applications shall be validated pror to
    initial use and, as appropriate, after changes to such software or its application.
    The specific approach and activities associated with software validation and revalidation shall be
    proportionate to the risk associated with the use of the software.
    Records of such activities shall be maintained (see 4.2.5).

    While the ISO standard does not directly require your organization (i.e. "supplier") to comply with this, your customer is required to be responsible for the "evaluation and selection" of suppliers and to establish criteria for same. It is certainly within your customer's right to require compliance of clause 4.1.6 of their supply base, which I would assume is what they are doing.

    Notice that this is specified to be a risk based approach. A consideration is to identify all software which is utilized within the scope of your QMS (ERP for inventories and deliveries, spreadsheets within which their may be calculation formulas and/or macros, databases that track current revision of industry consensus standards, etc..etc..) Once that list is identified, a risk analysis (i.e. what's the potential impact to the customer if they do NOT perform as intended) can then be conducted. Once the priorities are established as result of risk, then your organization can determine which and what methods for validating (i.e. ensuring that they work as required/expected.)

    ISO 9000:2015 defines validation as...

    "confirmation, through the provision of objective evidence, that the requirements for a specific intended use or application have been fulfilled.'

    Hope this helps.

    Be well.



     
    Stanley and jamescrockford like this.
  3. jamescrockford

    jamescrockford Active Member

    Joined:
    Aug 1, 2017
    Messages:
    69
    Likes Received:
    18
    Trophy Points:
    7
    Hi John,

    This is very useful thank you.

    Completely agree with an understand what you are saying.

    My next question though, is around the how and the documentation required. On research I have found example validation master plans which is what our customer is looking for but also other templates such as validation protocols, reports and final reports, all of which would detail the validation activities and results. I'm concerned that this could be overkill though?
     
  4. Neo113016

    Neo113016 Member

    Joined:
    Jul 9, 2018
    Messages:
    42
    Likes Received:
    5
    Trophy Points:
    7
    Does the software being used by your support desk have license and updated?

    Does your IT staff have preventive maintenance plan for all the software you are using in your company?

    If your answers to the questions above are YES then you have no problem conforming with the requirement.
     
  5. Bart Verdoodt

    Bart Verdoodt New Member

    Joined:
    Mar 5, 2020
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bornem, Belgium
    Hello All,

    How about computer systems validation for ISO 9001:2015 itself?
    Paragraph 8.3.4 mentions the need for retained documented information on "design and development controls", and the validation of newly introduced computer systems can be seen as a part of that.
    But in our company, ICT is considered a global corporate process and it is only a supporting process for our manufacturing site.
    How critical is the need for evidence that our computer systems have been thoroughly tested and validated?

    Many thanks for your insights.
     
  6. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    3,375
    Likes Received:
    1,695
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Hi Bart! Welcome.

    What does the computer system do? Don't overlook that ISO 9001:2015 is about product quality (meeting specification) with the aim of satisfying customers' requirements. 8.3.4 is about product design. Only.

    I've yet to see a valid case where an ERP system, for example, or a CRM is audited for validation. I don't believe that's within the scope of the application of a QMS.
     
  7. Bart Verdoodt

    Bart Verdoodt New Member

    Joined:
    Mar 5, 2020
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bornem, Belgium
    Hi Andy,

    Thanks for the Welcome.
    Well, a customer pointed out during a customer audit that our computer systems (ERP, LIMS, ...) should be validated as otherwise we can't be sure their output (values on Certificates of Analysis for instance) is correct.
    And that can have an influence on product quality.
    ISO 9001:2015 is broader than just product quality. it is about the level of the quality management system. Hence the huge focus on KPI's, SWOT's and competences...
    It was not the first time that IT is brought up during an audit (customer or certification body), but it was the first time that the validation of computer systems came up.
    Which was the reason for my post here.
    So I am curious about the experiences of other quality people here.

    Have a nice day.

    Warm regards,

    Bart
     
  8. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    3,375
    Likes Received:
    1,695
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Customers auditors are unpredictable, since their competencies or biases are not well known. Certainly, if you have data which appear on outputs which go to customers in support of products, it makes sense to check they are correct (not rounding values for example). Frankly, auditors who bring up the validation of off the shelf (COTS) software have nothing better to do. They'll have you checking MS Excel next...

    BTW - I don't agree that ISO 9001 is "broader than product quality". KPIs, SWOTs aren't mentioned. It's dangerous to think that ISO 9001 encompasses more than it does - in exactly the same way as an auditor is questioning COTS software.
     
  9. Bart Verdoodt

    Bart Verdoodt New Member

    Joined:
    Mar 5, 2020
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bornem, Belgium
    You have a point there about auditors biases.
    But you can't convince me that ISO 9001 is limited to product quality only.
    Although - of course - a good QMS leads to excellent products and services.
     
  10. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    3,375
    Likes Received:
    1,695
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    Perhaps, for enlightenment, you'd share what your thoughts are...
     
  11. BradM

    BradM Moderator Staff Member

    Joined:
    Jul 31, 2015
    Messages:
    313
    Likes Received:
    253
    Trophy Points:
    62
    Location:
    Arlington, TX
    Hey James!

    What kind of software are you speaking of? Is this COTS (commercial off the shelf) software or something custom designed? Does any of this software need to comply with 21 CFR Part 11?

    What kind of system do you currently have for other systems that require periodic review?
     
  12. Bart Verdoodt

    Bart Verdoodt New Member

    Joined:
    Mar 5, 2020
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bornem, Belgium
    Hi Andy,

    The norm does mention "non-conforming materials", so the target of it is indeed increasing the quality of whatever is sold.
    But, when a company receives the ISO 9001-certificate, it can use the ISO 9001 logo on documents but not on packaging of material as that wold give the impression that it is the material that is certified. Which is not the case.
    ISO 9001:2015 strives to improve the business of the certified company. Hence the importance of risks and opportunities evaluation.

    Kind Regads,

    Bart
     
  13. Andy Nichols

    Andy Nichols Moderator Staff Member

    Joined:
    Jul 30, 2015
    Messages:
    3,375
    Likes Received:
    1,695
    Trophy Points:
    112
    Location:
    In the "Rust Belt"
    True! This is an accreditation rule. ISO 9001:2015 isn't a product certification hence logos can't be used to imply that. That's been the rules since 1990, when accreditation started in the Netherlands (RvC) and the UK (NACCB)
     

Share This Page