SBS - The Best Value in QMS software

Adopting old product - compliance with IEC 62304

globatron

Starting to get Involved
#1
Hello everyone,

I am currently dealing with a situation where a product that was not a medical device before might have to be transitioned to the MDR space. We already dealth with most of the requirements (13485, 14971...) but with regards to 62304 it becomes tricky since the product is standalone software.

62304 foresees that old software can be used as legacy software, in case it was placed on the market before 2010. This is the case for the initial version, but it was not placed on the market as a medical device and was updated thereafter regularly. Therefore i guess the clause about legacy software is not applicable.

There is a lot of documentation available on the development including verification&validation, change requests etc., but it is not 62304 compliant. Would we have to re-do everything from scratch (reverse-engineering?) or is there any chance to "transform" old documentation and development to be in compliance with 62304? Treat it as SOUP etc.?

Thanks!
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
In order to claim compliance with 62304, you will need to have evidence of the existence of the specific deliverables required per the software system safety classification. The required deliverables of 62304 are commensurate with the safety classification. If you find you are missing certain necessary deliverables, then you will need to create them, starting with a formal classification of the software system. This will give you an idea of how big the potential gaps could be.

Since the codebase already exists, there may be some elements of the development plan that won't be applicable, but you will still need to establish requirements, traceability from requirements (to controls, etc.), and a lifecycle plan. It sounds as if there is an established process for software management, so the other area to make sure is under control is risk management.
 

globatron

Starting to get Involved
#3
thanks a lot for the explanation!

So it should be ok to conduct a gap analysis? Afterwwards we would set up a plan, document what was already there and which gaps we have identified, based on the requirements, and what we wold plan on closing those gaps. We would then have a part of the documentation according to the old process as well as new documentation to accompany the old documentation, showing that we filled any gaps.

I think it will be easier once we reached product version 1.0, since from there we can fully conduct software maintenance according to 62304.

Regarding the safety classification: is it correct to assume that only hazardous situations caused by the software itself should be assumed here? Therefore topics like "intentional missuse" do not have to be reflected in the safety classification?

Thanks again!
 

yodon

Staff member
Super Moderator
#4
62304 does address the concept of Legacy Software and the approach to bring things in line. Indeed, a gap analysis is indicated, but so are the risk management activities. From your gap analysis, you develop a [documented] plan to

"...generate the identified DELIVERABLES. Where available, objective evidence may be used to generate required DELIVERABLES without performing [the indicated] ACTIVITIES"

All changes going forward are to be managed in accordance with 62304. Finally, you need to document a rationale for continued use of the legacy software.

Can the software be intentionally misused such that it would allow harm? I'm thinking, for example, of an infusion pump. The drug being delivered has a max delivery rate. The software should not allow the (intentional misuse) case of allowing the operator to program a delivery rate exceeding the max.
 

globatron

Starting to get Involved
#5
Thanks a lot for further explaining the requirements. Legacy Software would require though, that the software was used as a medical product previously, right? The software was marketed before for years, but not as a medical device but will become a medical device by updating the intended purpose.

The software is quite safe to use, it provides information for diagnosis which can (and must be) fully verified by professional users before utilizing for diagnosis. Therefore the only way harm could be caused is by intentionally ignoring the intended purpose of the product and instructions for use. We covered such aspects through ISO 14971.
 

yodon

Staff member
Super Moderator
#6
Legacy Software would require though, that the software was used as a medical product previously, right?
There's nothing in the standard that would lead me to believe this is the case.

Be sure you cover both false positive and false negative cases in your risk analysis, if you haven't already.
 

Tidge

Trusted Information Resource
#7
Legacy software is defined in 62304:

LEGACY SOFTWARE: MEDICAL DEVICE SOFTWARE which was legally placed on the market and is still marketed today but for which there is insufficient objective evidence that it was developed in compliance with the current version of this standard.
 

globatron

Starting to get Involved
#8
Right, but placed on the market would mean "as a medical device" or in general placed on the market? As I said before, the product was not used as a medical device and will only be placed on the market as a medical device in 2021.

Thank you!
 

TomaszPuk

Starting to get Involved
#9
As you are developing medical device software I would treat that "project" as first design and development iteration under ISO13485. One of the design and development inputs to the project would be the requirement to follow IEC62304 standard. During Software Development Life Cycle (SDLC) as you define software safety classification for you software you would be able to assess the gap between what you have on docs / engineering / tools and what you should have.
Then you would start addressing these gaps on the levels such as:
1. Engineering e.g. implementing risk control measures, security measures, etc.
2. Processes like risk management, architecture reviews, installation, maintenance etc.
3. Documentation - adding missing docs and records.
The biggest gap is usually in documentation and then within verification and validation processes. When you approach the release you would collect the documents (old and new once) that are required for e.g. Class B and deliver them as Design Outputs to ISO13485 level. If your system was well implemented, the scope of engineering changes would be still minimal while the documentation / processes would close the gap to IEC62304.
 

Tidge

Trusted Information Resource
#10
Right, but placed on the market would mean "as a medical device" or in general placed on the market? As I said before, the product was not used as a medical device and will only be placed on the market as a medical device in 2021.
If the device was not on the market as a medical device, but you now believe it to be a medical device, I am inclined to be suspicious about claims that it could be treated as legacy software.... but I am more skeptical that it actually is somehow now a medical device, if it was already on the market and was not a medical device. I can imagine that this is the case, but I remain skeptical.

62304 is a standard for the development of medical device software. The activities required as part of 62304 derive from a risk analysis. "Legacy" status doesn't remove the requirements around performing a risk analysis. Are you comfortable telling us where you have landed in the software system safety classification?
 
Thread starter Similar threads Forum Replies Date
T PPAP & APQP - What other sectors are Adopting/Adapting these Concepts? APQP and PPAP 14
M Adopting New Sites and Divisions into an existing ISO 9001 Scope ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
C Is approval needed for adopting observations made during audit? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
M Why are EU harmonized particular standards so old & out-of-date? IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
Q New QMS...Old Projects ISO 13485:2016 - Medical Device Quality Management Systems 5
M Old Master Schedules - How Long to Keep? Document Control Systems, Procedures, Forms and Templates 4
I Old Time Scatter diagrams for defect type and location- software Quality Tools, Improvement and Analysis 7
C Refreshing an old and boring topic - Job descriptions and Roles vs Process Documentation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 38
Q Old products new class - Dental Devices - Choosing tests EU Medical Device Regulations 2
K Old medical devices -> 7.3.7. Design and development validation ISO 13485:2016 - Medical Device Quality Management Systems 1
M Interesting Discussion Curious old drawings about electrical shock and safety IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Marc Interesting Discussion The periodic table is 150 years old - March 2019 Coffee Break and Water Cooler Discussions 3
Marc Old Registered Visitors "Pruned" from the Database - 20180916 Forum News and General Information 0
Marc 200-year-old museum in Rio de Janeiro Destroyed by Fire - 2 SEPT 2018 World News 2
C Document Control - old revision vs new revision Document Control Systems, Procedures, Forms and Templates 22
Marc Adventures in Design Quality Assurance - Two-week-old Pixel 2 XL displays World News 0
A Training Program Help - Old docs, new docs, so many docs... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
K Canada License Amendment - Old Product to New Product Canada Medical Device Regulations 2
B Old GD&T Symbol "~" Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
L Sources for Searching Old Electronic Parts Specs (Counterfeit Inspection) Quality Manager and Management Related Issues 3
Q Modifying an old printed record? ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
G Customer wants PPAP on Old Parts to New Standards APQP and PPAP 8
A Technical File Maintenance - Old generation product EU Medical Device Regulations 4
A PUWER (Provision and Use of Work Equipment Regulations) and old machines (UK rules) Occupational Health & Safety Management Standards 4
E I'm looking for old publications of European Quality in pdf Book, Video, Blog and Web Site Reviews and Recommendations 2
J How to Retrofit an old, manual CMM Calibration and Metrology Software and Hardware 5
C Upgrading an old Supermicrometer General Measurement Device and Calibration Topics 3
S Old Medical Device Software Submission Guidance from 1998 Other US Medical Device Regulations 8
G Not quite old news: Statement of Applicability IEC 27001 - Information Security Management Systems (ISMS) 3
R IMDS time frame submission for a very old product APQP and PPAP 1
M Old software and EN 62304 - ECG software for the display of ECG IEC 62304 - Medical Device Software Life Cycle Processes 2
W Where to find the Daimler DBL 6992 10 new (old) standard Customer and Company Specific Requirements 1
P Performance Qualification of old Rapid Mixer Granulator Qualification and Validation (including 21 CFR Part 11) 2
Q IQ Requirements for Old (10 yrs) Commissioned Equipment Qualification and Validation (including 21 CFR Part 11) 2
R Covegratulations to The Cove: 18 years old! Covegratulations 3
N FDA Aspects - No Improvements to 12 Year Old Software ISO 13485:2016 - Medical Device Quality Management Systems 4
T Software that will overlay Old Revision and New Revision Print and Compare Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
M Old MSDS Sheets vs new HCS Standard - Format Requirements Manufacturing and Related Processes 18
H Digging Up Bones - Inspector Retrieving Very Old Inspection Data Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
V Old 510(k) with no Indication Statement 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
K Retrospective DHF for an old non-registered device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
F Receiving a new Gage Block Set with an old Certificate Calibration Frequency (Interval) 3
Randy Looky here - Check out my 9-month old Great-Grandson Hayden Coffee Break and Water Cooler Discussions 4
G Help with an old Spectrum 1000BX FTIR unit - User Manual wanted Manufacturing and Related Processes 2
M AS9100A (old revision) - Required C=0 sampling plans if sampling was used? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
R Using Curve Fits and Predictions in place of good old Measurements General Measurement Device and Calibration Topics 3
N What to do about very old MSDS Sheets Occupational Health & Safety Management Standards 24
C Hazards of Old Electronics Quality Manager and Management Related Issues 9
D Registrar Requesting Copies of Old Documents AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 14
V We put Old plating spec on supplier prints and need to PPAP to Customer. APQP and PPAP 1

Similar threads

Top Bottom