Software Validation in Medical Device Companies

Scope of Software Validation

Medical device companies must implement software validation for all software that impacts the quality, safety, and efficacy of medical devices. Specifically, this includes the following categories:

First, regarding software directly related to medical devices themselves, this encompasses software used as a component, part, or accessory of a medical device, as well as software that constitutes the medical device itself (standalone programs, known as SaMD: Software as a Medical Device).

Second, regarding software used in the operation of the medical device quality management system, this includes software used within the quality management system, software used in manufacturing and service provision, and software used to fulfill monitoring and measurement requirements.

However, software that does not impact the quality, safety, or efficacy of medical devices—such as basic administrative systems—is excluded from validation requirements.

Two Types of Software Validation

Software validation is broadly classified into two categories:

First, software embedded within medical devices themselves requires “design validation.” This is a process conducted during the development phase to ensure that the designed software functions appropriately for its specified intended use and meets user requirements.

Second, software used in quality management systems and manufacturing processes requires “Computer System Validation (CSV).” CSV is a process that demonstrates the software is reliable and functions appropriately for its intended use.

Detailed Regulatory Requirements

Requirements under QMS Regulations and ISO 13485:2016

Japan’s Quality Management System (QMS) regulation has been periodically amended to achieve alignment with ISO 13485:2016, the international standard for medical device quality management systems. The QMS regulation requires design validation for software used as a component, part, or accessory of a medical device, as well as for software that constitutes the medical device itself (SaMD).

ISO 13485:2016 establishes similar software validation requirements. The following clauses are particularly relevant:

Clause 4.1.6 specifies validation requirements for software used within the quality management system. This applies to systems used for quality document creation and management, CAPA (Corrective and Preventive Action) management, risk management, and design and development management.

Clause 7.5.6 specifies validation requirements for software used in manufacturing and service provision. This encompasses manufacturing equipment control software, production scheduling systems, and inventory management systems.

Clause 7.6 specifies validation requirements for software used to fulfill monitoring and measurement requirements. This includes measuring equipment control software and systems for recording and analyzing measurement data.

The Concept of Non-Product Software

Software referenced in clauses 4.1.6, 7.5.6, and 7.6 of ISO 13485:2016 is termed “Non-Product Software.” Unlike software embedded in the medical device itself, non-product software supports various processes such as design, manufacturing, quality management, and monitoring/measurement of medical devices. CSV is required for this category of software.

ISO/TR 80002-2 as a Regulatory Framework

Positioning of ISO/TR 80002-2

Generally, international standards such as ISO 13485 establish only requirements (What: what must be done), not implementation methods (How: how to implement it). The rationale is that if the standard included implementation methods, non-compliance with those specific methods could result in findings during regulatory audits. However, what companies truly need is practical guidance on implementation methods.

To address this gap, ISO sometimes publishes Technical Reports (TR) that provide detailed explanations of implementation approaches. A TR is not a requirement but rather a reference document, and compliance with it is not mandatory.

ISO/TR 80002-2:2017 was published in June 2017 as a reference document to explain the implementation methods for CSV as required by ISO 13485:2016. This Technical Report was created to assist stakeholders—including manufacturers, auditors, and regulatory authorities—in understanding and applying software validation requirements.

Key Principles in ISO/TR 80002-2

ISO/TR 80002-2 employs a risk-based approach utilizing critical thinking to determine appropriate software validation activities. The standard emphasizes that not all software requires the same level of validation; the depth and breadth of validation activities vary based on factors such as software complexity, associated risks, and the quality and stability of externally sourced software.

Specifically, ISO/TR 80002-2 explains necessary validation activities using the concept of a “Toolbox.” Validation activities may include requirement specification review, risk analysis, design review, testing, change management, and user training. Based on a risk-based approach, companies should select and implement the necessary activities from the toolbox appropriate for their software.

Challenges with ISO/TR 80002-2 and Practical Implementation

However, ISO/TR 80002-2 contains detailed and complex content, making it difficult for many companies to comprehend fully. Its technical nature can be challenging to navigate, which somewhat contradicts the intended purpose of providing an understandable reference document. There is a clear need for more accessible guidance to support practical implementation.

Data Integrity and Software Validation

The relationship between software validation and the ER/ES Guideline (Validation of Software Used in Medical Device Quality Management Systems Regarding Electromagnetic Records and Electronic Signatures) is also important. The ER/ES Guideline establishes requirements for the use of electromagnetic records and electronic signatures in quality management systems, requiring the assurance of data authenticity, readability, and preservation.

Software validation must simultaneously satisfy the data integrity requirements specified in the ER/ES Guideline. Particularly for software that records and preserves quality records or audit trails, validation must encompass not only functional validation but also assurance of data integrity.

Importance of Risk-Based Approach

The amendments to the QMS regulation, aimed at achieving alignment with ISO 13485:2016, have heightened the emphasis on a risk-based approach to software validation. Implementing the same rigorous level of validation for all software could impose significant burden on companies and potentially hinder innovation.

The critical element is for each company to determine appropriate scope and depth of validation activities based on risk assessment. For software that significantly impacts the quality, safety, or efficacy of medical devices, comprehensive validation should be implemented, while for software with limited impact, a streamlined approach may be adopted. This strategy enables the achievement of effective and efficient validation activities.

Conclusion

Software validation in medical device companies is an essential activity for assuring the quality, safety, and efficacy of medical devices. Understanding the frameworks provided by the QMS regulation, ISO 13485:2016, and ISO/TR 80002-2, and establishing an effective validation strategy based on a risk-based approach will enhance the company’s regulatory compliance capability and contribute to patient safety.