Do I need a qualified compiler for class B software?

#1
I am developing firmware for a medical device which fulfills the criteria for class B software.

The firmware is written in C and C++, for which some vendors provide toolchains that have certification for many standards, including IEC 62304 (e.g. Arm Compiler, IAR EWB). So far, we have used the free non-certified GNU Arm Embedded Toolchain for development. The certified versions are proprietary and quite expensive, so we would prefer to avoid their use. Furthermore, I have never, in two years of development, come across a compiler bug.

My question is: will it be necessary to use a qualified compiler/toolchain (or qualify the compiler ourselves), or can we use a non-qualified compiler?

I believe that it is not the case that we require a qualified compiler (i.e. we don't need any special considerations other than documenting its version and how it integrates with out build process and perhaps including compiler bugs as part of our risk analysis), and I found a blog post (unfortunately, I am not allowed to post links) that says that it is only necessary for class C devices, but I am not entirely certain and I am looking for some confirmation.
 

yodon

Staff member
Super Moderator
#2
By "qualified" do you mean putting it through something like IQ/OQ/PQ? If that's what you mean then, I don't subscribe to qualifying compilers. The software testing that you will do will provide far better assurance of functioning software than any kind of qualification protocol.

Of course, all this is predicated on the assumption that your internal procedures don't drive any specific qualification actions. And it's not a bad idea to double-check the manufacturer's specs to ensure you have an environment (OS, RAM, etc.) compatible with the tool.

You do want to "qualify" a toolchain for the target environment; i.e., choose a suitable one, preferably one that is commonly used (and those you mention certainly are)

A bit off topic, but there's a little less clarity on whether compilers / IDEs should be considered SOUP. It's my position that if you're using the libraries provided by the tool then there is certainly an element of SOUP. So in addition to just documenting its version, you should consider risks from unexpected results or failure of SOUP and evaluate the known anomalies with SOUP (these are applicable to Class B and C).
 
#3
I suppose what I meant by "qualification" is any sort of process that would provide satisfactory assurance of the correctness and suitability of the compiler for regulatory compliance (such as compilation tests or compliance with e.g. IEC 62304 which the certified toolchains I mentioned provide).

The fact that you didn't mention these kind of tests or certification requirements, combined with the blog post I mentioned, puts me at ease with regard to the need for a certified toolchain. We will certainly include compiler errors in our risk analysis, although it seems like we should be able to assign them a very low probability.
 

Tidge

Trusted Information Resource
#4
Aside from the excellent point about (SOUP) libraries provided by @yodon , there are only two areas involving compilers which would motivate some discussion 'above and beyond' simply detailing the compiler used:

1) Configuration management / Lifecycle concerns for your software: You may establish a configuration management plan that implies (or states) that you could reconstruct an executable (or the like) from source files. This by itself would not require validation of the complier, but it would require you to document and archive the compiler used to create the executable that was subjected to software system testing. Vendor toolkits have a habit of vaporizing; you may need to archive license keys as well as the compiler sources.

2) Unit / Integration testing: If white/gray-box testing of code relies on specific features of the compiler (e.g. comparing different outputs when different compiler switches are used), The compiler really ought to be treated as any other tool, and be qualified. Having written that, it will be nearly impossible (for most medical device companies) to validate certain aspects of a compiler, so if that path is taken (for the Medical Device Software testing) you shouldn't put too much weight behind such results. I think that it is generally possible to construct a comprehensive test plan such that if low-level testing relies on the compiler, it would be possible to establish higher level (System) tests that provide the necessary confidence that the Medical Device Software is working as necessary.
 
Thread starter Similar threads Forum Replies Date
lanley liao Does all of the suppliers need to integrated into the supplier list qualified of the company? Oil and Gas Industry Standards and Regulations 2
T Do we need an SOP for ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
B Do CTQs need to be equipment specific? FMEA and Control Plans 8
K Contract Manufacturer Do they need a complaint procedure? Medical Device and FDA Regulations and Standards News 8
K Screen printing ink and machine selection_ Need help Manufacturing and Related Processes 6
D Do employee training records need to be centralized? IATF 16949 - Automotive Quality Systems Standard 10
H Need of EU Representative Designation for Turkey? EU Medical Device Regulations 3
H If we use agile - do we still need to document TF as a waterfall just for the notified bodies need? IEC 62304 - Medical Device Software Life Cycle Processes 2
briteme4 AS9102 First Article Inspection - do I need a second reviewer and signer? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
J Furnace repaired - Do I need a new initial TUS? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
B Does FDA Registration QSR need to cover non-medical devices for contract repackager? US Food and Drug Administration (FDA) 1
S Need ISO 15189:2012 Documentation toolkit. Document Control Systems, Procedures, Forms and Templates 0
J Need a contract monitoring Tool General Information Resources 0
P UDI-PI requirements on reusable surgical device, do we need serialisation? ISO 13485:2016 - Medical Device Quality Management Systems 3
J Need Help with FPY Data in Assembly Process Manufacturing and Related Processes 7
W 17025 and NIST handbook relationship (need advice) ISO 17025 related Discussions 8
K Need procedure for D&D inputs? ISO 13485:2016 - Medical Device Quality Management Systems 4
S Need help on "Country of Origin" Medical Device and FDA Regulations and Standards News 0
Ed Panek Immediate need for 80601-2-56 Consulting expert. PM me for details Career and Occupation Discussions 0
Tagin You're Gonna Need a Bigger Root Cause Coffee Break and Water Cooler Discussions 12
M PSA Suppliers - CSR matrix and need the quality manual of PSA APQP and PPAP 6
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
K "World Class Product" based QM. I need advice. Quality Management System (QMS) Manuals 14
I Do I need to sign off my annual audit calendar? Internal Auditing 2
P Do we need to retrospectively use the "MD" symbol (indicating device is a medical device) on labels, e.g. finished devices within expiration date? EU Medical Device Regulations 2
M Do I need separation in my circuit with a medical charger? IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
V Certified Auditor - Need of additional certification specific to industry ( GMPs) ASQ vs ECA vs others Professional Certifications and Degrees 1
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
A Medical Device Contract Manufacturer - Does the CM need to register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
J Records Control - Does each individual record need to be numbered? Records and Data - Quality, Legal and Other Evidence 2
N Is there a need for clinical test of Class IIa products (for MDR)? EU Medical Device Regulations 2
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
K Do I need a "State of the art" plan? CE Marking (Conformité Européene) / CB Scheme 1
S Need advice for schooling Quality Manager and Management Related Issues 5
R What information do i need to get from the device manufacturer 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S Need guidance on project ISO 13485:2016 - Medical Device Quality Management Systems 2
H Need MSA 4th ed. compliant attribute MSA template General Measurement Device and Calibration Topics 4
J Need Change Control Yes/No Decision Tree Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
C Does an accessory need an IFU if it use is discussed in the Parent device IFU? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
B Countries with no need for FSC (Free sales certificate) Other Medical Device Regulations World-Wide 0
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
A Brexit When does the UK responsible person need to be in place? UK Medical Device Regulations 10
R Do we need issue ECN (Engineering Change Notice) towards updated Material Specification? Design and Development of Products and Processes 2
N IPC-A-630 - Is this free or do i really need to pay for it? Manufacturing and Related Processes 4
C ISO/ IEC 17021 Resource requirement (need help) Document Control Systems, Procedures, Forms and Templates 5
P Need a programmer for QVI's VMS software for optical inspection machine Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
silentmonkey How to decide what characteristics need to be verified during incoming inspection? ISO 13485:2016 - Medical Device Quality Management Systems 5
D Change Approval Requirements - Does every change need formal customer approval? Design and Development of Products and Processes 17
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 3
C ISO 13485 :2016 - CAPA - Does every CAPA need to be checked by regulations? ISO 13485:2016 - Medical Device Quality Management Systems 9

Similar threads

Top Bottom