The organization is required to validate all processes that are related to the medical device or other services provided, where the organization cannot measure and monitor the results of the processes or the services throughout the realization processes. It is applicable on medical devices (or services) where defects are revealed only after they are already delivered or provided.  The organization is required to identify these certain processes required to be validated. The validation (of these "special" processes) shall indicate how these processes achieved the required results.  
While planning the validation, the organization shall describe the methods of conducting the process validation. Methods such as tests, evidences of process ability and of course the results of the validation.
While planning the validation of processes, the organization shall refer to the next issues:

First let us go over the fundamental definitions. Just to be sure…

Validation – an approval according to objective evidences that the requirements for the product intended use are fulfilled.

Revalidation – a re-approval of validation in case there any changes occurred within the process, a change of equipment, a change in human resources, raw material – anything that may affect the product.

The first additional requirement here is to maintain a documented procedure for computer software validation. Now, what do the Swiss guys in Geneva want from us (or from your organization, if I may be precise)?  Let's start to uncover this requirement. When the software forms a part of the device, or has been used to design the device or to produce the device, according to 13485, it is needed to be validated prior to initial use. In other words, when the software can affect the medical device's or the service's quality, it must be validated prior to initial use.

In which cases, a computer system would affect the product?

• Records keeping
• Data analysis
• Performing activities from a process flow
• The software is a part of the medical device

When changes have been made to the software, revalidation is required to evaluate its competence to the product. Why revalidation? A small change in a small software may cause a great affect on your product and averse the product's requirements.  When any change (small or wide) had been made to the software, the whole validation process must be reevaluated and for the whole software, not only for the small component that was changed. It is required to determine the extent and impact of that change on the entire software system. Of course, we mustn't forget any regulatory requirements (such as the FDA for software validation or Quality System Regulation outlined in 21 CFR Part 820). When required, the organization must implement these requirements as well.

Everything is clear? I sure hope so…

We are still with the software's validation. The next step is to document the validation process. The organization must establish a set of documented procedures describing the validation process of the software.  We may encounter documentations such as:

• Validation Policy
• Lifecycle for the Selection, Implementation, Validation and Use of Off-the-Shelf Computer Systems
• Requirements for Computer System Requirements, Validation Plans, Protocols, and Reports
• Computer System Risk Evaluation for Determining Risk Mitigations, Validation Activities, and the Extent of Testing
• Change Control for Validated Systems
• Computer System Project Proposal
• Computer System Vendor Qualification and Management
• Guidance: Items to Evaluate in an IQ, OQ, or PQ for a Computer System
• Guidance – Validation Activities for Systems at the Low-, Moderate, and High Risk Levels
• Validation Plan Template for Single Validations
• Computer System Technical Requirements Template
• Computer System Specification Template
• IQ Template
• OQ Template
• PQ Template
• Validation Final Report Template
• IT Policy
• Need any more examples?

Bottom line, the validation process must be documented within procedures and records of performing the process must be maintained. From the list above, use what is appropriate for your organization and the nature of your medical device.

Now' we are done with the software's validation. The documentation of the validation processes (all validations not only computer software) shall be included under the records control procedure. That means that these records are part of your quality management documentation and needed to be documented in the records control procedure as specified in paragraph 4.2.4 – control of records.  Actually there is not additional requirement here because the ISO 9001 Standard requires it as well.

7.5.2.2 Particular requirements for sterile medical devices

This requirement is an extent requirement. It is not required by the ISO 9001 Standard.

The organization is required to perform validation over the sterilization processes. The validation processes are required to be documented as a procedure.

Documentation of the validation processes shall be included under the records control procedure. That means that these records are part of your quality management documentation and needed to be documented in the records control procedure as specified in paragraph 4.2.4 – control of records. 

As always, the ISO 13485 Standard gives a large scale to sterilization processes. Sterilization may make the difference between life and death!  When (any kind of) sterilization process is required, the organization shall establish a set of documented procedures describing how to conduct and validate the sterilization processes with emphasis on the validation. The validation of the sterilization is to be initiated prior to the intended use.

In more simple words, sterilization processes shall be validated according to defined methods. Why? It is very simple. A sterilization process is required to a minimum efficacy. The efficacy is measured on the basis of protocols and scientific experiments designed to demonstrate that the sterilization process would deliver a sterile product. Any data resulted out of the sterilization processes may be used for drawing conclusion and making decisions or releasing medical devices for use. Based on the scientific validity of the protocols and methods, as well as on the scientific validity of the results and conclusions, the organization is required to validate the efficacy of the sterilization process. Validation is an approval according to objective evidences that the requirements for the product's intended use are fulfilled. In this case the product regarded here is the sterilization processes. Now, after explaining let's review how it should be achieved:

• It is suggested (but not required) to define the sterilization processes. The ISO 13485 Standard does not require documentation of the sterilization processes but it would support the validation latter on.
• Next, the organization is required to maintain a documented procedure describing how it validates the sterilization processes.
• It is required to determine that the sterilization activities are conducted prior to the initial use of the product.
• Record of the validation activities must be kept and shall be included under the records control procedure.