25
Jul
2021

Software Validation of Cloud Based Tools

,
,
0

Most medical device manufacturers use many, many software programs, systems, or services to automate quality system This software is not to be confused with product software – that is, software that runs as part of a medical device.  Medical device in this context could be custom hardware devices or Software as a Medical Device (SaMD).  Often this type of software is categorically referred to as “Non-Product Software”, “Quality System Software”, or “Tools.”

Software programs or services are used in many ways to automate quality system processes, and many of those processes are part of the product software development lifecycle.  For example, software systems are very often used to manage software requirements and specifications, track bugs or defects, manage software source code versions/branches, plan software development and verification activities, automatically execute test cases and evaluate pass/fail criteria, and many others.  Automation of quality system processes using software is highly encouraged as it reduces potential for human error, often captures richer data from the process, and ensures repeatability as staff members change.

However, both US regulations and international standards expect or require software that is used to automate quality systems processes to be validated for its intend use.  Validating this software clearly makes sense and should be part of our overall effort at assuring “product software quality.”  The FDA gives guidance on validating this type of software in the General Principles of Software Validation.  The approach, rigor, and on-going monitoring required to validate Non-Product Software greatly depends upon the “risk to product quality” resulting from failures of that Non-Product Software.  A common mistake is to attempt to approach validation of tools with a one-size-fits-all mentality or naively thinking that some standard (e.g., GAMP) will be appropriate for all types of tools.  Manufacturers, in their effort to assure quality, end up wasting enormous time and resources conducting very low value validation paper-work that, ironically, leads to less assurance of quality.  Obviously a “process risk analysis” should be used to properly plan and scale the validation – but that is another topic for another time.

A significant challenge that a manufacturer or developer will face is with the use of tools where the configuration will rapidly change.  Often we find this situation with cloud-hosted tools where the tool vendor will be deploying new versions/updates frequently.  This presents a challenge for one to argue that the tool “continues to be” in a validated state.  This raises many questions and every tool may likely have a different set of answers:

  • Should a manufacturer re-validate the tool each time a new configuration/version is pushed?
  • Can the manufacturer control the pushes and decide when to accept the new version?
  • Does the tool vendor notify of new releases?
  • Does the tool vendor identify what has changed from the previous version? and to what detail do they provide?
  • Does the tool vendor have any scheme for major, minor, and patch level releases?
  • Is there a way to deploy a test environment to validate the new release prior to deployment to the live environment?
  • Does the overall process, for which the tool automates some portion, have downstream quality control checkpoints that would catch potential software errors?
  • Does the automated workflow self-check in any way such that potential tool software errors might be caught?

There are likely many other questions to ask as well.  The answers to these questions, along with the process risk analysis, will help you formulate a plan appropriate and efficient for that tool or maybe even a class of tools.

About the author

Partner and General Manager, Brian Pate is ISO 1385:2016 Lead Auditor certified for Medical Device Quality Management Systems (MD), and ISO 19011:2018 Management Systems Auditing (AU) and Leading Management Systems Audit Teams (TL). Brian started his medical device career in anesthesia clinical research in 1985 and has since worked both academia and industry including many years with Johnson & Johnson, Baxter Healthcare, and GE Medical. Brian’s roles have included software engineering, systems engineering, quality assurance, and regulatory affairs. Brian has served on multiple AAMI TIR working groups, including TIR32-2008 (Application of ISO 14971 Risk Management to Software; now IEC 80002-1) and TIR45-2012 (Guidance on the use of Agile practices in the development of medical device software) and served as a reviewer for the 2nd edition of TIR45. Brian serves on the AAMI Software Committee and as an AAMI instructor for the software, design controls, and agile methods courses. Brian also is a member of the Underwriters’ Laboratories (UL) Standards Technical Panel for UL1998 (Software in Programmable Components) and or UL5500 (Remote Software Updates).

SoftwareCPR Training Courses

ISO13485:2016 ISO 13485 Internal Audit(or) Training Course (Live, 3-day)

IEC 62304 and other Emerging Standards Impacting Medical Device Software (Live, 3-day)

Being Agile & Yet CompliantISO 14971 SaMD Risk Management

Software Risk Management

Medical Device Cybersecurity

Software Verification

IEC 62366 Usability Process and Documentation

Or just email training@softwarecpr.com for more info.

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.