Validation of Software

Published On - May 10, 2022

I3CGlobal MDQMS IQA

Validation of Software Used for Monitoring and Measurement

[ISO 13485 Cl, 7.5.6] 

According to ISO 13485:2016, the validation of software used in production or in monitoring and measurement is a mandatory requirement under Clause 7.5.6. This ensures that such software consistently performs as intended and that product conformity and patient safety are not compromised.

“The organization shall validate any processes for production and service provision where the resulting output cannot be verified by subsequent monitoring or measurement. This includes computer software used in the production and service provision.”

To ensure that software-dependent processes produce consistent, reliable, and accurate results — even when the final output cannot be completely verified through inspection or testing.

Software validation here applies to:

  • Software that directly affects product realization, and

  • Software used in measuring, monitoring, or testing product performanc

Key ISO 13485 Requirements

  1. Validation Before Initial Use

    • Before software is used in production or monitoring, it must be validated to demonstrate it performs as intended.

    • Validation should confirm that:

      • Inputs are processed correctly

      • Outputs are accurate and traceable

      • The software functions reliably under normal and stress conditions

    • This is often done via Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ) — especially for high-risk processes.

  2. Revalidation

    • Required whenever:

      • Software or hardware changes occur

      • Operating environment changes

      • Process parameters or regulatory requirements change

  3. Validation Plan

    • Should define:

      • The scope and intended use of the software

      • Validation approach and acceptance criteria

      • Risk assessment

      • Test methodology and data requirements

      • Responsibilities and approval steps

  4. Documented Evidence

    • Maintain records for each stage:

      • Validation plan

      • Test protocols and test results

      • Deviation logs and corrective actions

      • Validation summary or report

      • Approval signatures

  5. Risk-Based Approach

    • The extent of validation depends on:

      • The intended use of the software

      • The impact of a software failure on product quality or patient safety

    • ISO 14971 (risk management) can support determining validation depth.

  6. Change Control

    • Any modification, update, or patch to the software must go through change control and revalidation, ensuring no negative impact on process performance.

  7. Competence

    • Validation should be conducted by qualified personnel who understand both the software system and the regulated manufacturing process.

ISO 13485 PRICING
ISO 13485 COST CALCULATOR
ISO 13485 PROPOSAL REQUEST
CONTACT US

INTERNAL AUDIT TOOL

Step 1 of 3
Frequently Asked Questions

What does ISO 13485 mean by software validation in production and monitoring?

It means verifying and documenting that software used to control, monitor, or measure production processes performs as intended and consistently. 

Why is validation necessary before the initial use of software?

Because once the software is implemented in production or testing, its output directly impacts product quality and patient safety. If unvalidated software generates incorrect data or controls a faulty process, the defect may not be detected later hence, validation ensures accuracy before impact.

How is software validation different from software verification?

  • Verification confirms that software has been built correctly (meets design specifications).

  • Validation confirms that software performs correctly for its intended use in the real environment.
    In ISO 13485, you must validate the software’s actual use in production or measurement, not just its design.

What kind of software is covered under Clause 7.5.6?

Any software that directly affects product conformity, such as:

  • Production control systems (PLC, SCADA, CNC)

  • Automated testing or inspection software

  • Environmental monitoring software

  • Label printing or barcode verification systems

  • Measurement data acquisition programs

Note: QMS-only software (document control, CAPA tracking, etc.) is covered under Clause 4.1.6, not 7.5.6.

How should off-the-shelf (COTS) software be handled?

Even for commercially available software, you must:

  • Define its intended use in your process

  • Evaluate risks associated with its failure

  • Perform installation and functional verification in your specific environment
    Validation must demonstrate that the software works correctly for your application, not just rely on vendor documentation.

How should off-the-shelf (COTS) software be handled?

Even for commercially available software, you must:

  • Define its intended use in your process

  • Evaluate risks associated with its failure

  • Perform installation and functional verification in your specific environment
    Validation must demonstrate that the software works correctly for your application, not just rely on vendor documentation.

What records must be maintained for software validation?

Typical validation documentation includes:

  • Validation plan (objective, scope, criteria)

  • Risk assessment

  • Test protocols and raw test data

  • Validation report and approval signatures

  • Revalidation records

  • Change control forms referencing validation impact

How does software validation link to risk management (ISO 14971)?

Software failures can cause product or process risks. Therefore, validation results and identified hazards should be linked to the risk management file, demonstrating that risks associated with software use are controlled and acceptable.